Auth Tokens should not be stored in plain text

[profhase]

An auth token for the API is the same as a password for a user.

IMHO it should not be saved plain text in the database, but rather a hash (similar to passwords).

I know that there are other apps that provide that, I think that the minimal implementation that DRF delivers
should be secure (or not being offered) as it is easily used in production causing security flaws

[RajalakshmiMadhavan]

@profhase Can I take up this bug of saving hashed auth token instead of plain text.

[RajalakshmiMadhavan]

Approach would be:

1. Generate a raw token and hash it using PBKDF2 + SHA-256 algorithm which provides string in format - <algorithm>$<iterations>$<salt>$<hash> and with a random salt.
2. When authenticating credentials, verify if plain key matches a hashed key or not.

[browniebroke]

An auth token for the API is the same as a password for a user.

I think it's more like a session ID. When users log in traditionally, they send username + password. We can lookup the username to find their account in the DB and then check the plain password against the hashed one from that user. If it matches, Django creates a session ID and store this in the DB (in plain text). For all subsequent requests, the browser sends the session ID, it doesn't send the username + password again. API tokens are similar, they first require the user to login with username + password, and a key is generated, which used to look up an open session.

Hashing a password is computationally expensive, doing this on every request is not very scalable