nul-reference
commented
9 months ago Also while OWASP mandates at least 64 bits of entropy, we're effectively cutting the UUID entropy in half with this change;
As nanoid represents values in effectively URL-safe base64, the value represented by 22 characters is 132 bits long, leaving the entropy at 66 bit, from my understanding. UUIDv4, as a 128 bit value minus 6 fixed bits, has 61 bits of entropy.
Granted, the search space for either is almost certainly within “good enough” space for almost all applications, but imho the smaller size both in bandwidth mixed with higher entropy is nice.
It might be worth considering to add a trait for Id with a default implementation, now that I think of it, so any Id can be used depending on backend and application requirements.
Unrelated, but thank you for the great ecosystem of crates!
maxcountryman
codecov[bot]
UUIDv4 has 122 random bits, with 6 fixed bits for identifying the format. Additionally, it uses hexadecimal encoding, which makes it take more bandwidth to transfer.
This patch replaces UUIDv4 with an array of bytes derived from the
nanoidcrate, which gives 66 bits of entropy. This exceeds the minimum recommended by OWASP. Additionally, the byte array is encoded as URL-safe Base64 for usage as a string.It should be noted that
nanoidalso uses StdRng from therandcrate, utilizing a ChaCha12 block cypher for a rather strong CSPRNG, removing most of the need to be wary of platform support.Documentation has been updated everywhere I could find, and tests have passed from what I can tell. (Also have a build of this working utilizing axum-login in a project of mine.)