hash token on account creation, not just password reset

bocoup · Feb 16, 2024 · 95702c2 · 95702c2
1 parent 4ff37ae
commit 95702c2
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/app/models/user.server.ts b/app/models/user.server.ts
@@ -39,12 +39,16 @@ export async function createUser(
   password: string,
   doNotSell: boolean,
 ) {
+  const newToken = randomBytes(16).toString("hex");
+  const hashedNewToken = sha256(newToken);
+
   const hashedPassword = await bcrypt.hash(password, 10);
 
   return prisma.user.create({
     data: {
       email,
       doNotSell,
+      token: hashedNewToken,
       password: {
         create: {
           hash: hashedPassword,
@@ -120,6 +124,7 @@ export async function verifyEmail({
       },
       data: {
         emailVerified: true,
+        token: "",
       },
     });
   }

diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -10,7 +10,7 @@ datasource db {
 model User {
   id            String      @id @default(cuid())
   email         String      @unique
-  token         String      @unique @default(uuid())
+  token         String      @unique
   emailVerified Boolean?    @default(false)
   createdAt     DateTime    @default(now())
   updatedAt     DateTime    @updatedAt