On Tue, 13 Mar 2018 05:03:21 +1100
Chris Angelico <ros...@gmail.com> wrote:
> Using the 'secrets' module to generate URLs like this isn't wrong;
> since these URLs have to be unguessable (you shouldn't be able to type
> http://metube.example/aaaaac and get someone's secret unlisted video),
> their identifiers have to be functionally equivalent to session IDs
> and such. And since advertisers *do* want to put links to their videos
> onto billboards, QR codes are definitely a thing; and companies won't
> use metube if its competitor's QR codes can be scanned reliably from
> two platforms across and ours need to be scanned from right up next to
> it.

Yeah.  So people building such a platform can use a custom token
length.  Still, I think it's better to have a future-proof default token
length.  People will know if they need to shorten it for usability
reasons.  However, if we default to shorter tokens, people won't
know whether they need to ask for a longer length for security reasons.

"Secure by default, better usability with a simple parameter tweak"
sounds like a sane API guideline.



Python-ideas mailing list
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to