62cbc451aa
Move object ID, token, and random string generation into their own module, cryptoUtils. Remove hat dependency, which was used to generate session and some other tokens, because it used non-cryptographic random number generator. Replace it with the cryptographically secure one. The result has the same format (32-character hex string, 128 bits of entropy). Remove randomstring dependency, as we already have this functionality. Add tests.
45 lines
1.4 KiB
JavaScript
45 lines
1.4 KiB
JavaScript
import { randomBytes } from 'crypto';
|
|
|
|
// Returns a new random hex string of the given even size.
|
|
export function randomHexString(size) {
|
|
if (size === 0) {
|
|
throw new Error('Zero-length randomHexString is useless.');
|
|
}
|
|
if (size % 2 !== 0) {
|
|
throw new Error('randomHexString size must be divisible by 2.')
|
|
}
|
|
return randomBytes(size/2).toString('hex');
|
|
}
|
|
|
|
// Returns a new random alphanumeric string of the given size.
|
|
//
|
|
// Note: to simplify implementation, the result has slight modulo bias,
|
|
// because chars length of 62 doesn't divide the number of all bytes
|
|
// (256) evenly. Such bias is acceptable for most cases when the output
|
|
// length is long enough and doesn't need to be uniform.
|
|
export function randomString(size) {
|
|
if (size === 0) {
|
|
throw new Error('Zero-length randomString is useless.');
|
|
}
|
|
var chars = ('ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
|
|
'abcdefghijklmnopqrstuvwxyz' +
|
|
'0123456789');
|
|
var objectId = '';
|
|
var bytes = randomBytes(size);
|
|
for (var i = 0; i < bytes.length; ++i) {
|
|
objectId += chars[bytes.readUInt8(i) % chars.length];
|
|
}
|
|
return objectId;
|
|
}
|
|
|
|
// Returns a new random alphanumeric string suitable for object ID.
|
|
export function newObjectId() {
|
|
//TODO: increase length to better protect against collisions.
|
|
return randomString(10);
|
|
}
|
|
|
|
// Returns a new random hex string suitable for secure tokens.
|
|
export function newToken() {
|
|
return randomHexString(32);
|
|
}
|