[HN Gopher] API Tokens: A Tedious Survey ___________________________________________________________________ API Tokens: A Tedious Survey Author : enobrev Score : 42 points Date : 2021-08-24 21:41 UTC (1 hours ago) (HTM) web link (fly.io) (TXT) w3m dump (fly.io) | simonw wrote: | This is great. | | One thing that's worth remembering about randomly generated | tokens is that it's important to always use safe comparison | methods when comparing them to the stored one - otherwise you | could be vulnerable to timing attacks. | | In Python you can use secrets.compare_digest(a, b) for this: | https://docs.python.org/3/library/secrets.html#secrets.compa... | simonw wrote: | On Facebook: "You've got a bunch of services, like Messages and | Photos and Presence and Ivermectin Advocacy". Ouch! | zrail wrote: | There's an additional nuance to opaque random-ish tokens that can | be helpful in high-traffic situations. You can essentially encode | some, for lack of a better word, "routing" information (shard, | region, etc) into the token when you generate it. It's still | random, you still verify the whole token with your database, but | you can extract the routing info and pass it to the correct | backend from a mostly-stateless frontend. | mooreds wrote: | This was great. A really fair survey of various token methods. | Plus plenty of liveliness, not boring at all. Thanks, OP! | | One thing that I wish was addressed more was language/library | support. It gets casual references a couple of times, but for an | average developer (as I consider myself) a set of robust, | supported open source libraries that help me use a token is so | important (not write an implementation, but use in a project that | just wants to use the tokens safely). | | I don't have anything but anecdata, but I feel like most software | is going to be in the 'just want to use it' category, rather than | the 'need to implement it'. | | This is where the standards like OAuth and JWT win right now. | That doesn't mean they always will, but in my experience, that's | the current situation. | CiPHPerCoder wrote: | For PASETO, the quick guide to library support is | https://paseto.io | tptacek wrote: | The one thing I'm not super comfortable about here is my PASETO | take. My attitude going in was that PASETO has a lot of boosters | and not a lot of critical takes. I can beat up on Macaroons | because we're using them, and I'm going to follow up with a post | about what our Macaroons like like. I'm not doing that with | PASETO. So, like, I stand by it, but take it for what it's worth. ___________________________________________________________________ (page generated 2021-08-24 23:00 UTC)