what is the use of hashedToken inside meteor.user

Question

Hi I am a newbie to Meteor and I would like to know what is the use of hashedToken generated inside the Meteor.user object.

In Meteor documentation it is explained that the services object,

containing data used by particular login services. For example, its reset field contains tokens used by forgot password links, and its resume field contains tokens used to keep you logged in between sessions.

When I check the localstorage, Meteor.loginToken seems different from the hashedToken.

so my question is, 1.what is the difference between Meteor.loginToken generated in the local storage and hashedToken generated inside the service object? 2.Also why do resume.loginTokens inside service object is an array?

Any help is appreciated...

Answer 1

So a loginToken is a string of characters that can be left on the computer similar to a cookie token. You don't want to leave the actual username and password on a computer so the token is used instead.

The token is then used to authenticate to the server and log-in in place of a username/password.

There are a multiple of them in the array because you can be logged in on many devices at the same time. Each would have their own token.

The reason the tokens are hashed is an extra measure of security on the database. The tokens on the client are sha256 hashed and matched up to the one on the already hashed database ones to try and log in the user automatically.

The reason they are hashed is so no one can use them as loginToken localStorage form to login as a certain user by copying it from the database and pasting it as a localstorage logintoken. Its similar to a plaintext password being able to be used to log in a user.