{"id":24294517,"url":"https://github.com/miikka/split-token","last_synced_at":"2025-09-25T20:31:29.795Z","repository":{"id":47292652,"uuid":"402964258","full_name":"miikka/split-token","owner":"miikka","description":"Generating and verifying split tokens with Clojure","archived":false,"fork":false,"pushed_at":"2021-10-03T07:21:22.000Z","size":22,"stargazers_count":12,"open_issues_count":0,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-04-14T13:01:18.320Z","etag":null,"topics":["authentication","clojure","cryptography","split-token"],"latest_commit_sha":null,"homepage":"","language":"Clojure","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"isc","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/miikka.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-09-04T04:35:19.000Z","updated_at":"2024-04-14T13:01:18.320Z","dependencies_parsed_at":"2022-09-01T05:01:29.741Z","dependency_job_id":null,"html_url":"https://github.com/miikka/split-token","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/miikka%2Fsplit-token","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/miikka%2Fsplit-token/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/miikka%2Fsplit-token/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/miikka%2Fsplit-token/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/miikka","download_url":"https://codeload.github.com/miikka/split-token/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234244252,"owners_count":18801886,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","clojure","cryptography","split-token"],"created_at":"2025-01-16T17:47:11.606Z","updated_at":"2025-09-25T20:31:24.511Z","avatar_url":"https://github.com/miikka.png","language":"Clojure","funding_links":[],"categories":[],"sub_categories":[],"readme":"# split-token\n\nThis library implements [split tokens].\n\n[![Clojars Project](https://img.shields.io/clojars/v/net.clojars.miikka/split-token.svg)](https://clojars.org/net.clojars.miikka/split-token)\n\n## What are split tokens?\n\nA standard way to implement password reset tokens and similar is to [generate a random token][generate],\nsend it to your user, usually in a URL, and store it in your database.\nWhen the user tries to use the token, you check that the token is in the database.\n\nSplit tokens improve upon this design. You still generate a random token and send it to your user,\nbut you store it in the database in two parts called _selector_ and _verifier_.\nSelector is stored as-is and verifier is hashed before saving it.\nThe full token _is not_ stored in your database since the verifier is hashed.\n\nWhen the user wants to use a token, you split it and use the selector to look up the verifier hash from the database.\nThen you hash the user-supplied verifier and check that it matches the stored hash.\nThis achieves two things:\n\n* It prevents [timing attacks]. Typically database lookup is suspectible to timing attacks, but a proper hash comparison is not.\n* An attacker with read access to your token database cannot use the tokens themselves.\n\nThis basically the same as why you hash users' passwords with a password hashing function before storing them in the database,\nexcept that we have a single randomly-generated token instead of a username and a password.\n\n[generate]: https://quanttype.net/posts/2020-10-18-random-tokens-in-clojure.html\n[split tokens]: https://paragonie.com/blog/2017/02/split-tokens-token-based-authentication-protocols-without-side-channels\n[timing attacks]: https://soatok.blog/2021/08/20/lobste-rs-password-reset-vulnerability/\n\n## Example\n\nGenerating a token:\n\n```clojure\n(require '[split-token.core :as split-token])\n\n(split-token/generate)\n;; {:selector \"gEHOHXOFanTHp43CbFWdCw\",\n;;  :verifier-hash \"m0UYbYs2dhbeGHnsjCLY4w\",\n;;  :token \"gEHOHXOFanTHp43CbFWdC0yKajTVYk58FpXoCt9FyQY\"}\n```\n\nValidating a token:\n\n```clojure\n(let [token \"gEHOHXOFanTHp43CbFWdC0yKajTVYk58FpXoCt9FyQY\"]\n  (split-token/get-selector token))\n;; \"gEHOHXOFanTHp43CbFWdCw\"\n\n;; At this point you'd look up the verifier hash from the database based on the selector.\n;; Then you can verify it:\n\n(let [token \"gEHOHXOFanTHp43CbFWdC0yKajTVYk58FpXoCt9FyQY\"\n      verifier-hash \"m0UYbYs2dhbeGHnsjCLY4w\"]\n  (split-token/valid? token verifier-hash))\n;; true\n```\n\n## Technical details\n\n* The library uses 32-byte tokens with 16-byte selectors and 16-byte verifiers.\n* The hash is 128-bit BLAKE2b.\n* To make things easy, all the functions return URL-safe Base64-encoded strings.\n* There's no configuration. The implementation is one short file, though, so you could [vendor](https://stackoverflow.com/a/39643873) it.\n* This library builds on [buddy-core](https://github.com/funcool/buddy-core), which builds on [Bouncy Castle](https://www.bouncycastle.org).\n\n## Development\n\nRun tests:\n\n```sh\nbin/kaocha\n\n# Automatically run tests when files change\nbin/kaocha --watch\n```\n\nDeployment:\n\n```sh\nexport CLOJARS_USERNAME=...\nexport CLOJARS_PASSWORD=...\n\nclj -T:build jar\nclj -T:build deploy\n```\n\n## License\n\nCopyright 2021 Miikka Koskinen. Distributed under the terms of ISC license, see `LICENSE`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmiikka%2Fsplit-token","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmiikka%2Fsplit-token","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmiikka%2Fsplit-token/lists"}