hngopher.com

       [HN Gopher] API Tokens: A Tedious Survey
       ___________________________________________________________________
        
       API Tokens: A Tedious Survey
        
       Author : enobrev
       Score  : 42 points
       Date   : 2021-08-24 21:41 UTC (1 hours ago)
        
 (HTM) web link (fly.io)
 (TXT) w3m dump (fly.io)
        
       | simonw wrote:
       | This is great.
       | 
       | One thing that's worth remembering about randomly generated
       | tokens is that it's important to always use safe comparison
       | methods when comparing them to the stored one - otherwise you
       | could be vulnerable to timing attacks.
       | 
       | In Python you can use secrets.compare_digest(a, b) for this:
       | https://docs.python.org/3/library/secrets.html#secrets.compa...
        
       | simonw wrote:
       | On Facebook: "You've got a bunch of services, like Messages and
       | Photos and Presence and Ivermectin Advocacy". Ouch!
        
       | zrail wrote:
       | There's an additional nuance to opaque random-ish tokens that can
       | be helpful in high-traffic situations. You can essentially encode
       | some, for lack of a better word, "routing" information (shard,
       | region, etc) into the token when you generate it. It's still
       | random, you still verify the whole token with your database, but
       | you can extract the routing info and pass it to the correct
       | backend from a mostly-stateless frontend.
        
       | mooreds wrote:
       | This was great. A really fair survey of various token methods.
       | Plus plenty of liveliness, not boring at all. Thanks, OP!
       | 
       | One thing that I wish was addressed more was language/library
       | support. It gets casual references a couple of times, but for an
       | average developer (as I consider myself) a set of robust,
       | supported open source libraries that help me use a token is so
       | important (not write an implementation, but use in a project that
       | just wants to use the tokens safely).
       | 
       | I don't have anything but anecdata, but I feel like most software
       | is going to be in the 'just want to use it' category, rather than
       | the 'need to implement it'.
       | 
       | This is where the standards like OAuth and JWT win right now.
       | That doesn't mean they always will, but in my experience, that's
       | the current situation.
        
         | CiPHPerCoder wrote:
         | For PASETO, the quick guide to library support is
         | https://paseto.io
        
       | tptacek wrote:
       | The one thing I'm not super comfortable about here is my PASETO
       | take. My attitude going in was that PASETO has a lot of boosters
       | and not a lot of critical takes. I can beat up on Macaroons
       | because we're using them, and I'm going to follow up with a post
       | about what our Macaroons like like. I'm not doing that with
       | PASETO. So, like, I stand by it, but take it for what it's worth.
        
       ___________________________________________________________________
       (page generated 2021-08-24 23:00 UTC)