1👍
Add a constraint to make sure the token field only accepts unique values. Then catch the exception in the save method and regenerate a token if it is.
unique=True on the field.
0👍
you perhaps want something along the lines of itsdangerous, or simply the standard hmac library
The idea is that you would establish a private secret key on your server; You need do this only once.
Then, use that secret key, along with an apropriate hashing algorithm to generate what’s called a “message authentication code”, which is a secure means of proving that a message is really, honestly from the original source, in your case, from your server. The message would contain the primary key or some other useful query value for the data you want to access.
when responding to a request for one of these, you decompose the message into the lookup value and signature, and verify that the signature is for that particular value.
One disadvantage is that the primary key (or other key) is encoded in clear text in the message; which could possibly disclose more information about the object than you’d like. That said, there’s no (reasonable) possibility that the signature can be “guessed” for any particular key, without the signing key.
- [Answer]-Download a file in the browser
- [Answer]-Django REST API pagination: always return the same data