Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Timeflake is a 128-bit, roughly-ordered, URL-safe UUID. Inspired by Twitter's Snowflake, Instagram's ID and Firebase's PushID.
Timeflake is a 128-bit, roughly-ordered, URL-safe UUID. Inspired by Twitter's Snowflake, Instagram's ID and Firebase's PushID.
* Please consider how the Birthday Paradox might affect your use case. Also read the security note on this readme.
This could be useful to you, if you're looking for a UUID with the following properties:
Some existing alternatives which I considered:
import timeflake
# Create a random Timeflake
flake = timeflake.random()
>>> Timeflake(base62='00mx79Rjxvfgr8qat2CeQDs')
# Get the base62, int, hex or bytes representation
flake.base62
>>> '00mx79Rjxvfgr8qat2CeQDs'
flake.hex
>>> '016fa936bff0997a0a3c428548fee8c9'
flake.int
>>> 1909005012028578488143182045514754249
flake.bytes
>>> b'\x01o\xa96\xbf\xf0\x99z\n<B\x85H\xfe\xe8\xc9'
# Convert to the standard library's UUID type
flake.uuid
>>> UUID('016fa936-bff0-997a-0a3c-428548fee8c9')
# Get the timestamp component
flake.timestamp
>>> 1579091935216
# Get the random component
flake.random
>>> 724773312193627487660233
# Parse an existing flake (you can also pass bytes, hex or int representations)
timeflake.parse(from_base62='0002HCZffkHWhKPVdXxs0YH')
>>> Timeflake('0004fbc6872f70fc9e27355a499e8b6d')
# Create from a user defined timestamp or random value:
timeflake.from_values(1579091935216, 724773312193627487660233)
>>> Timeflake('016fa936bff0997a0a3c428548fee8c9')
The timeflake 02i2XhN7hAuaFh3MwztcMd
(base62) encodes the following:
# Milliseconds since unix epoch
timestamp = 1579275030563
# Cryptographically generated random number
random = 851298578153087956398315
A custom base62 alphabet representation is included, modified to preserve lexicographical order when sorting strings using this encoding. The hex
representation has a max length of 32 characters, while the base62
will be 22 characters. Padding is required to be able to derive the encoding from the string length.
The following are all valid representations of the same Timeflake:
int = 1909226360721144613344160656901255403
hex = 016fb4209023b444fd07590f81b7b0eb
base62 = 02i2XhN7hAuaFh3MwztcMd
You can use timeflakes as primary keys for your models. These fields currently support MySQL, Postgres and Sqlite3.
Example usage:
from timeflake.extensions.django import TimeflakePrimaryKeyBinary
class Item(models.Model):
item_id = TimeflakePrimaryKeyBinary()
# ...
See this gist for an example.
Since the timestamp part is predictable, the search space within any given millisecond is 2^80 random numbers, which is meant to avoid collisions, not to secure or hide information. You should not be using timeflakes for password-reset tokens, API keys or for anything which is security sensitive. There are better libraries which are meant for this use case (for example, the standard library's secrets module).
Please be aware of the privacy implications that time based IDs can have. As Timeflake encodes the precise time in which the ID was created, this could potentially reveal:
Right now the codebase is only tested with Python 3.7+.
No dependencies other than the standard library.
Want to hack on the project? Any kind of contribution is welcome! Simply follow the next steps:
Thank you for making this project better!
Please see the CHANGELOG for more details.
This project is licensed under the MIT license. Please read the LICENSE file for more details.
FAQs
Timeflake is a 128-bit, roughly-ordered, URL-safe UUID. Inspired by Twitter's Snowflake, Instagram's ID and Firebase's PushID.
We found that timeflake demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.