api keys generation about cuid HOT 5 CLOSED

"Those keys will give user full access to the application via REST API."

This is not a job for UUID, Hat, or Cuid. None of these solutions provide cryptographically secure solutions suitable for authentication purposes. It sounds like you're probably looking for a cryptographic key solution such as JSON Web Tokens.

from cuid.

Let me try to better explain.

Basically I would need to generate some API key for users, in order to make them able to connect to the web app via third party services.

Something like the pinboard.in api key, or the JSbin one.

For example JSbin creates them using the following code https://github.com/jsbin/jsbin/blob/e9eaa748f8ab9a72f8cdee302e8f096aebca2f28/lib/models/user.js#L63-L66

I don't need to store sensitive informations inside it.
Isn't in enough to have something that generates unique and non guessable keys?

I'm already using JWT for storing user informations when they login.

I'm not so fond on this topic and was wondering about best practices in my case.

from cuid.

Isn't in enough to have something that generates unique and non guessable keys?

The problem is that "non guessable" has a complex meaning. prng's don't use cryptographically secure means of generating random data such that it is guaranteed to be non-guessable, which is why I explicitly mention in the docs that cuid should not be used if you need a cryptographically secure string.

For authentication, you should be using an existing standard such as Oauth1.5 (not 2.0, which is less secure), or JWT. Do not use UUIDs, GUIDs, cuids, or any pseudorandom-based mechanism for this purpose.

from cuid.

Thanks for your support, It's gonna be very helpful for an app I'm working on.
I have nothing to share at the moment but I will certainly do as soon as possible.
A security audit from you would be highly appreciated.

from cuid.

You're welcome. =)

from cuid.