Does a web access token need to be encoded?
Our sports site is unlocking one of its main services so it is no longer necessary to sign up to use it for a few days. Anonymous users would have access for a few days, then we would lock them out and prompt them to sign up.
I figured out a way to implement this, other than using the session information (like a cart), a randomly generated token would be given to the user and passed through the URL would grant access, e.g. example.org/service/<service_id>?token=xxxxxxxxxxxxxx. On our backend we would store the token granting access to that service_id and keep information like an expiration date.
The token value (is there a better term than "value" for tokens?) would be generated through random bytes and base64-encoded so that it is URL safe:
base64.b64encode(os.urandom(30))
Please let me know if this is a good method of generating a random and safe token.
I guess a similar method would be this, although not exactly 30 bytes, but 30 characters:
"".join([random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(30)]
When asking about this on Python/Django communities I was suggested pyjwt, which is for JSON Web Tokens. But I fail to see how to use it or how web tokens come into my scenario.
would I be encoding the randomly generated token as payload? But that would result in encoding something twice, it doesn't seem necessary.
it supports encoding the token with expiration, but I would be storing that in our backend anyway and is easy to handle
Perhaps I am overcomplicating this, but I would like to know if there is a conventional way of designing such access token architectures.
