skip to Main Content

I’m implementing forgot password functionality in my NextJS app. I’m generating a temporary token whenever the user clicks on forgot password. Should I store the temporary token in the already existing users table,

User table

user_id
user_name
forgotpass_token

here only few people will have token, hence, most of the field will be NULL.

or can I create a new table to store just these 2 values:

forgotpass table

user_id
forgotpass_token

Which method should be optimal, or if is there any better solution?

2

Answers


  1. Second approach is cleaner. Also add an expiration timestamp for the token.

    Login or Signup to reply.
  2. Use the second approach, with the separate table.

    As was mentioned in another answer, you also need a column for an "expires" date. But beyond this, in the event of account takeover (or even just attempted account takeover) you’ll want to have history for everything, meaning a user might need many rows in the table over time, and you want to think about other relevant data of the event, such as source IP, user agent, etc. Keeping this in its own table not only makes this cleaner, but also makes it much easier to change if you find something else you need to log.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search