Security review of authentication tokens

For the Five for the Future project, I ended up writing some custom code for authentication tokens which are stateful, have (cryptographically secure) random values, and can only be used once.

Those tokens will be used by companies to manage their pledges, so if an attacker was able to obtain a token, they’d be able to change a company’s name, logo, description, etc to something inappropriate, remove contributors from the pledge, and deactivate the pledge entirely.

The reasons why authentication tokens were chosen is documented in the commit, and additional background is available in issue #34 and PR #46.

Does anyone have any thoughts on the code, think there are any missing test cases, or see any other problems? If you think there’s an active vulnerability, please pingPing The act of sending a very small amount of data to an end point. Ping is used in computer science to illicit a response from a target server to test it’s connection. Ping is also a term used by Slack users to @ someone or send them a direct message (DM). Users might say something along the lines of “Ping me when the meeting starts.” me privately or report it via HackerOne.