On Tue, Mar 13, 2018 at 5:32 AM, Antoine Pitrou <solip...@pitrou.net> wrote: > On Tue, 13 Mar 2018 05:03:21 +1100 > Chris Angelico <ros...@gmail.com> wrote: >> >> Using the 'secrets' module to generate URLs like this isn't wrong; >> since these URLs have to be unguessable (you shouldn't be able to type >> http://metube.example/aaaaac and get someone's secret unlisted video), >> their identifiers have to be functionally equivalent to session IDs >> and such. And since advertisers *do* want to put links to their videos >> onto billboards, QR codes are definitely a thing; and companies won't >> use metube if its competitor's QR codes can be scanned reliably from >> two platforms across and ours need to be scanned from right up next to >> it. > > Yeah. So people building such a platform can use a custom token > length. Still, I think it's better to have a future-proof default token > length. People will know if they need to shorten it for usability > reasons. However, if we default to shorter tokens, people won't > know whether they need to ask for a longer length for security reasons. > > "Secure by default, better usability with a simple parameter tweak" > sounds like a sane API guideline.
Yep, I think we're on the same page here! ChrisA _______________________________________________ Python-ideas mailing list Python-ideas@python.org https://mail.python.org/mailman/listinfo/python-ideas Code of Conduct: http://python.org/psf/codeofconduct/