Generating unique token on the fly with Rails

Question

I want to generate a token in my controller for a user in the \"user_info_token\" column. However, I want to check that no user currently has that token. Would this code suffice

Answer 1

If your token is long enough and generated by a cryptographically secure [pseudo-]random number generator, then you do not need to verify that the token is unique. You do not need to generate tokens in a loop.

16 raw source bytes is long enough for this effective guarantee. When formatted for URL-safety, the result will be longer.

# Base-64 (url-safe) encoded bytes, 22 characters long
SecureRandom.urlsafe_base64(16)

# Base-36 encoded bytes, naturally url-safe, ~25 characters long
SecureRandom.hex(16).to_i(16).to_s(36)

# Base-16 encoded bytes, naturally url-safe, 32 characters long
SecureRandom.hex(16)

This is because the probability that the 16-byte or 128-bit token is nonunique is so vanishingly small that it is virtually zero. There is only a 50% chance of there being any repetitions after approximately 2⁶⁴ = 18,446,744,073,709,551,616 = 1.845 x 10¹⁹ tokens have been generated. If you start generating one billion tokens per second, it will take approximately 2⁶⁴/(10⁹*3600*24*365.25) = 600 years until there is a 50% chance of there having occurred any repetitions at all.

But you're not generating one billion tokens per second. Let's be generous and suppose you were generating one token per second. The time frame until a 50% chance of even one collision becomes 600 billion years. The planet will have been swallowed up by the sun long before then.