Attesto.Secret (Attesto v0.5.0)

Copy Markdown View Source

Generate and hash the opaque secrets that back stateful grants.

Authorization codes and refresh tokens are high-entropy random strings handed to a client once. The server never needs the plaintext again, so it persists only a hash: a leaked code/refresh store then yields no usable credentials. This module is the single place that generates such secrets and computes their lookup hash.

  • generate/1 returns a fresh base64url-no-pad secret with the given entropy (default 32 bytes = 256 bits).
  • hash/1 returns the SHA-256 base64url-no-pad digest used as the storage key. Lookups hash the presented secret and compare, so the store is keyed by hash/1 output, never by plaintext.

Comparisons against a stored value should go through Attesto.SecureCompare to stay constant-time.

Summary

Functions

generate(bytes \\ 32)

Generate a fresh random secret as a base64url-no-pad string with bytes of entropy (default 32).

hash(secret)

The SHA-256 base64url-no-pad hash of secret, used as its storage key.

Functions

generate(bytes \\ 32)

@spec generate(pos_integer()) :: String.t()

Generate a fresh random secret as a base64url-no-pad string with bytes of entropy (default 32).

hash(secret)

@spec hash(String.t()) :: String.t()

The SHA-256 base64url-no-pad hash of secret, used as its storage key.