> The checksum is pointless because an entire 512 bit token still fits in an x86 cache line I s...

notpushkin • today at 7:39 AM • 3 replies • view on HN

> The checksum is pointless because an entire 512 bit token still fits in an x86 cache line

I suppose it’s there to avoid round-trip to the DB. Most of us just need to host the DB on the same machine instead, but given sharding is involved, I assume the product is big enough this is undesirable.

Replies

phire • today at 7:58 AM

You need to support revocation, so I'm not sure it's ever possible to avoid the need for a round trip to verify the token.

➕ show 1 reply

rrr_oh_man • today at 8:09 AM

> I assume the product is big enough

Experience tells otherwise

locknitpicker • today at 10:59 AM

> I suppose it’s there to avoid round-trip to the DB.

That assumption is false. The article states that the DB is hit either way.

From the article:

> The reason behind having a checksum is that it allows you to verify first whether this API key is even valid before hitting the DB,

This is absurdly redundant. Caching DB calls is cheaper and simpler to implement.

If this was a local validation check, where API key signature would be checked with a secret to avoid a DB roundtrip then that could see the value in it. But that's already well in the territory of an access token, which then would be enough to reject the whole idea.

If I saw a proposal like that in my org I would reject it on the grounds of being technically unsound.

alt Hacker News

Replies