Restorer.Id
val generate : unit -> t
generate ()
is a fresh unguessable service ID. Note: you must initialise `Nocrypto`'s entropy before calling this (you will get a runtime error if you forget).
val derived : secret:string -> string -> t
derived ~secret name
is a service ID based on secret
and name
. It is calculated as SHA256.hmac secret name
. secret
could be the hash of a private key file, for example.
val public : string -> t
public name
is the service ID name
. This may be useful for interoperability with non-secure clients that expect to use a plain-text service ID (e.g. "calculator"). It could also be useful if name
is some unguessable token you have generated yourself.
digest h id
is the digest h id
.
Since id
is normally a secret token, we must be careful not to allow timing attacks (taking a slightly different amount of time to return an error depending on how much of the ID the caller guessed correctly). Taking a secure hash of the value first is one way to avoid this, since revealing the hash isn't helpful to the attacker.
val to_string : t -> string
to_string t
is the raw bytes of t
.
val pp : t Fmt.t