On Tue, 13 Mar 2018 05:03:21 +1100 Chris Angelico <rosuav@gmail.com> wrote:
Using the 'secrets' module to generate URLs like this isn't wrong; since these URLs have to be unguessable (you shouldn't be able to type http://metube.example/aaaaac and get someone's secret unlisted video), their identifiers have to be functionally equivalent to session IDs and such. And since advertisers *do* want to put links to their videos onto billboards, QR codes are definitely a thing; and companies won't use metube if its competitor's QR codes can be scanned reliably from two platforms across and ours need to be scanned from right up next to it.
Yeah. So people building such a platform can use a custom token length. Still, I think it's better to have a future-proof default token length. People will know if they need to shorten it for usability reasons. However, if we default to shorter tokens, people won't know whether they need to ask for a longer length for security reasons. "Secure by default, better usability with a simple parameter tweak" sounds like a sane API guideline. Regards Antoine.