Question posted in 
I’m implementing forgot password functionality in my NextJS app. I’m generating a temporary token whenever the user clicks on forgot password. Should I store the temporary token in the already existing users table,
User table
user_id
user_name
forgotpass_token
here only few people will have token, hence, most of the field will be NULL.
or can I create a new table to store just these 2 values:
forgotpass table
user_id
forgotpass_token
Which method should be optimal, or if is there any better solution?
2
Answers
Second approach is cleaner. Also add an expiration timestamp for the token.
Use the second approach, with the separate table.
As was mentioned in another answer, you also need a column for an "expires" date. But beyond this, in the event of account takeover (or even just attempted account takeover) you’ll want to have history for everything, meaning a user might need many rows in the table over time, and you want to think about other relevant data of the event, such as source IP, user agent, etc. Keeping this in its own table not only makes this cleaner, but also makes it much easier to change if you find something else you need to log.