python, hash function selection

Question

Using Python and Django, I will let my users to give pdf based gifts to their friends, which the said friend will be able to claim pdf by entering to my site from the emailed link.

Here is the plan

1. User gives a gives to his friend, enters friends email

2. In the background, a gift model is saved which will contain a uniquely generated hash code at the save.

3. Friend receives the email, provided the link to download the pdf which will be like (www.mydomain.com/gift/<hash code here>)

4. When the mailed link is clicked, system checks if such gift model with the given hash code exists.

5. If so download starts, else 404.

Is this a clever way of solving this? If so what hashing function would you recommend ? It is interesting as the /gift/ is open to the public, if somehow lucky enough to find a link, anyone can claim it. I am planning to feed the hash function by receivers first-last name plus the pk of the gift model

Answer 1

There is no need to use a hash, you just need a random token.

1. Create a string of random characters
2. If it is already used ( unlikely ) repeat step 1

Make the string of characters long enough that you are happy it will be hard to guess

an easy way to generate a random string is

>>> import os
>>> os.urandom(10).encode('hex')
'3fa0c2f72ff275f48d66'
>>> os.urandom(20).encode('hex')
'ecc1143b3fc90bd99bcd609b326694f13291e3d1'
>>> os.urandom(30).encode('hex')
'd4a9a2cd7b48eca831e9805e68dd6f7db7275b654e55cdec603631a5a355'
>>> 

Answer 2

UUIDs are pretty random

In [13]: import uuid

In [14]: uuid.uuid4().hex
Out[14]: 'f7a7667e94574e32b3589f84ca35a98d'

Answer 3

It may not do things exactly the way you wish, but this project would be a good starting point:

http://github.com/mogga/django-token-auth/