Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Even I wouldn't recommend generating your bearer tokens client side if they are actually doing it, but collision thing is a bit far fetched. Any randomly generated UUID like UUID4 has a randomness in space of 2^122(ignoring pre determined bits). For practical purposes this is almost unique, you will need to generate ~2^61 ids for 0.5 probability of a collision happening.


I think the issue is that a hacked client could send a bad "UUID", not that properly randomly generated tokens would collide.


What will that accomplish though? The way he described their auth APIs, you will be able to set an auth token generated by you for an account that you anyway have the user credentials for.


What is a bad “UUID”? A wouldn’t the hacked client do things anyway like uploading UID or local credentials to its servers?


It's pretty much industry standard for a distributed system to use uuid to generate statistically-guaranteed unique ids.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: