Generate token for email and SMS

jordelver · March 14, 2021, 10:28pm

I have a form where a user submits their email, a record is inserted into the database, and the database id is added to the session. They are then redirected to a LiveView where the session is passed.

In case the user closes their browser or they want to find their page for any reason, I want to send an email and SMS containing a link. When they click the link they should end up back on their particular page.

So I need to generate a token for them.

Phoenix.Token seems like it would work, but it generates a long string, which would work fine for sending in an email, but is too long for an SMS.

Is it secure enough to just generate a random token, save to the database, and include that in a URL? What length is considered “good enough”?

No personal information is available on the user’s page and the page is short lived.

I’m paranoid about security after reading so much! Thanks.

hauleth · March 15, 2021, 7:37am

Depends on your security margin requirements and expected amount of traffic.

dom · March 15, 2021, 10:18am

OWASP is a good resource for this kind of question:

jordelver · March 15, 2021, 12:24pm

I’m not familiar with this term. Could you explain more?

This is a toy app at the moment but I want to learn the best practice in case it ever did take off.

jordelver · March 15, 2021, 12:25pm

Thank you, that’s really useful. Sounds like 16 bytes is the minimum for this sort of token.

jordelver · March 15, 2021, 12:33pm

I was just looking at how phx.auth.gen generates tokens and they do this:

token = :crypto.strong_rand_bytes(32)
hashed_token = :crypto.hash(:sha256, token)
Base.url_encode64(token, padding: false)