I am creating a Flask application with a checkbox extension. In the documentation for the checkbox, it is recommended to configure an alternative token generator, which not only uses the user ID and application to create a session token (which is the default method). But he does not give clear recommendations on how to do this.
So, for User.get_auth_token() I use the make_secure_token function with the email and user password as parameters (so that I get a hash of these parameters + application secret).
Then I will need to get the user from the token_loader callback token_loader . The default method for generating tokens in flash logic should include both the original user identifier and the user privacy hash ID + app. This makes finding the user from the token quite simple - just grab the ID and find the user.
But should I show the user ID in the session token? If I do not, should I store the session token in the database or somewhere else with a user ID to make the search possible?
In short: does anyone know what works best for creating a secure token and corresponding token_loader ?
source share