Use random hex string instead of uuid for nonce

2016-06-10 10:44:26 +02:00
parent 9cdbfeae87
commit 405bb84ca6
5 changed files with 29 additions and 8 deletions
--- a/src/service/public-key.js
+++ b/src/service/public-key.js
@@ -18,7 +18,6 @@
 'use strict';

 const util = require('./util');
-const uuid = require('node-uuid');
 const tpl = require('../email/templates.json');

 /**
@@ -31,7 +30,7 @@ const tpl = require('../email/templates.json');
 *     {
 *       name:'Jon Smith',
 *       email:'jon@smith.com',
- *       nonce: "123e4567-e89b-12d3-a456-426655440000", // UUID v4 verifier used to prove ownership
+ *       nonce: "6a314915c09368224b11df0feedbc53c", // random 32 char verifier used to prove ownership
 *       verified: true // if the user ID has been verified
 *     }
 *   ],
@@ -92,7 +91,7 @@ class PublicKey {
    yield this._mongo.remove({ fingerprint:key.fingerprint }, DB_TYPE);
    // generate nonces for verification
    for (let uid of key.userIds) {
-      uid.nonce = uuid.v4();
+      uid.nonce = util.random();
    }
    // persist new key
    let r = yield this._mongo.create(key, DB_TYPE);
@@ -245,7 +244,7 @@ class PublicKey {
      return [];
    }
    if (email) {
-      let nonce = uuid.v4();
+      let nonce = util.random();
      yield this._mongo.update(query, { 'userIds.$.nonce':nonce }, DB_TYPE);
      let uid = key.userIds.find(u => u.email === email);
      uid.nonce = nonce;
@@ -253,7 +252,7 @@ class PublicKey {
    }
    if (keyId) {
      for (let uid of key.userIds) {
-        let nonce = uuid.v4();
+        let nonce = util.random();
        yield this._mongo.update({ 'userIds.email':uid.email }, { 'userIds.$.nonce':nonce }, DB_TYPE);
        uid.nonce = nonce;
      }
--- a/src/service/util.js
+++ b/src/service/util.js
@@ -17,6 +17,8 @@

 'use strict';

+const crypto = require('crypto');
+
 /**
 * Checks for a valid string
 * @param  {} data     The input to be checked
@@ -89,6 +91,17 @@ exports.throw = function(status, message) {
  throw err;
 };

+/**
+ * Generate a cryptographically secure random hex string. If no length is
+ * provided a 32 char hex string will be generated by default.
+ * @param  {number} bytes   (optional) The number of random bytes
+ * @return {string}         The random bytes in hex (twice as long as bytes)
+ */
+exports.random = function(bytes) {
+  bytes = bytes || 16;
+  return crypto.randomBytes(bytes).toString('hex');
+};
+
 /**
 * Get the server's own origin host and protocol. Required for sending
 * verification links via email. If the PORT environmane variable