oauth2orize icon indicating copy to clipboard operation
oauth2orize copied to clipboard

Published 20 hours ago verified publisher icon jaredhanson

Use of uid2

Open benweet opened this issue 11 years ago • 3 comments

I've seen in your examples you mostly use uid2 for unique id generation which is now (in version 0.0.3) using node's crypto.pseudoRandomBytes(). As stated in the documentation, these ids are not necessarily unpredictable, which means not good for token generation. I think uid2 should be replaced with something using crypto.randomBytes() to prevent mistakes.

benweet avatar Feb 15 '14 01:02 benweet

Interesting: https://github.com/senchalabs/connect/issues/932. As I understand, randomBytes and pseudoRandomBytes have pretty much the same behavior on every platform so far.

benweet avatar Feb 15 '14 12:02 benweet

I would also like to see uid2 replaced. pseudoRandomBytes is not documented to return cryptographically secure random strings. The module has also has no README and no link to the source code from the NPM page. Bleh.

The secure-random-string module would be a near-drop-in replacement that's cryptographically secure. It includes options to only use alpha-numeric characters in the string to be URL friendly, and also lets you set the length of the secure random string that you want.

markstos avatar Jun 08 '18 20:06 markstos

go with https://www.npmjs.com/package/uid-safe or https://www.npmjs.com/package/uuid

knoxcard avatar Sep 09 '19 07:09 knoxcard