search

tuupola / branca-spec

Authenticated and encrypted API tokens using modern crypto
https://www.branca.io/
219 stars 7 forks source link

Describe base62 in more detail #14

Open tuupola opened 5 years ago

tuupola commented 5 years ago

Should specify that used Base62 encoding is byte by byte.

ghost commented 3 years ago

Why not Base64UrlSafe? libsodium has a constant-time implementation of it already, including URL safe variant... also exposed through php-sodium.

tuupola commented 3 years ago

1) Usability, you can double click base62 encoded token to fully select it.

AAAAAAAAA_BBBBBBBBB-CCCCCCCCCC

vs

AAAAAAAAAABBBBBBBBBBCCCCCCCCCC

2) Usability, when using 0-9A-Za-z character set Base62 encoded strings preserve the sort order of the encoded values. Since the timestamp is in the beginning of token the Branca tokens can be sorted by their creation time.

$ branca encode --key supersecretkeyyoushouldnotcommit --payload "foo 1" > test.txt
$ branca encode --key supersecretkeyyoushouldnotcommit --payload "bar 2" >> test.txt
$ branca encode --key supersecretkeyyoushouldnotcommit --payload "pop 3" >> test.txt

$ cat test.txt 
1WgabfDGgbzPwVRnRwTBHMOBODseP3p2Mu60FrbbIjfQtq9em2cjptHeouoe8fZj97BO
1WgabfE9f73X78BZPpf6Mmgh7UoW2M6jORCD4Xzcfyta5ukNnGHxI3EEnBRrdkV7fOn9
1WgabfEjdXYAC0H4l4NMHeQBHd2kO6tptlbam8fbZD6LfXxXBXrN4uLoaVMbxBMiiMSk

$ sort --random-sort test.txt 
1WgabfE9f73X78BZPpf6Mmgh7UoW2M6jORCD4Xzcfyta5ukNnGHxI3EEnBRrdkV7fOn9
1WgabfDGgbzPwVRnRwTBHMOBODseP3p2Mu60FrbbIjfQtq9em2cjptHeouoe8fZj97BO
1WgabfEjdXYAC0H4l4NMHeQBHd2kO6tptlbam8fbZD6LfXxXBXrN4uLoaVMbxBMiiMSk

$ sort --random-sort test.txt | sort
1WgabfDGgbzPwVRnRwTBHMOBODseP3p2Mu60FrbbIjfQtq9em2cjptHeouoe8fZj97BO
1WgabfE9f73X78BZPpf6Mmgh7UoW2M6jORCD4Xzcfyta5ukNnGHxI3EEnBRrdkV7fOn9
1WgabfEjdXYAC0H4l4NMHeQBHd2kO6tptlbam8fbZD6LfXxXBXrN4uLoaVMbxBMiiMSk

3) Aesthetics, I personally do dislike how the _ and - characters look in a token, especially when passed in an url or something similar.

There is a small performance hit by using base62 instead of base64, but it is negligible since one should keep the amount data encoded into the token reasonably small anyway.

ghost commented 3 years ago

Thanks for taking the time to explain! It may be beneficial to also mention this in the specification itself.

tuupola commented 3 years ago

Good idea. Maybe some separate design notes document. I try to keep the spec short and concise too.