Magic link: encoding versus UUID?

jackb

I see that most of the marketplace functions that generate a magic link will create a password / random string and then use a function to encode the string before returning it as the token.

Is there any benefit to this approach versus just generating a UUID to serve as the token? The encoding seems unnecessary.

Ray Deck

Yes, using a UUID should work fine. Many of the marketplace extensinos and snippets are a bit over-engineered, and if you have a clear sense of how to solve your problem, you can be better off rolling your own simple solution than composing theirs.

Stepping back, the main considerations for a magic link are:
1) A high degree of randomness (entropy). You can solve this with length. The UUID does this well.

2) Easy compability with HTTP encoding (e.g. it goes into the query string smoothly). This is why many folks use an additional level of encoding, like base64 or hex. But to your point, the UUID is just alphanumeric + dashes, so it works just fine.

There's a third way, which is to use cryptography to validate a signed message (eg JWT) in the magic link rather than a lookup-based approach. The former is less expensive on the database. But its a lot of ceremony for marginal value.

We discuss authorization and security often as part of our focus on the hardest 5% in our daily office hours at State Change.

jackb

makes sense. Thanks @Ray Deck!