Context
In Phase 10, authenticateProjectToken performs an O(n) scan over all projects, verifying the token against each Argon2id hash with constant-time comparison. This is correct and secure, but does not scale beyond ~100 projects.
Requirements
- Store a SHA-256 hash of each plaintext token in a new indexed column (
tokenPrefix) on the Project model
- On auth, compute SHA-256 of the incoming token and look up the candidate project by prefix (O(1) index lookup)
- Then verify the full token against the Argon2id hash (single comparison instead of N)
- Migration must backfill existing tokens (requires re-hashing from plaintext during provisioning)
Acceptance Criteria
Context
In Phase 10,
authenticateProjectTokenperforms an O(n) scan over all projects, verifying the token against each Argon2id hash with constant-time comparison. This is correct and secure, but does not scale beyond ~100 projects.Requirements
tokenPrefix) on theProjectmodelAcceptance Criteria
Projectmodel has atokenPrefixcolumn with a unique indexauthenticateProjectTokenuses SHA-256 prefix for O(1) lookup