thentos icon indicating copy to clipboard operation
thentos copied to clipboard

Published 20 hours ago verified publisher icon liqd

Consider using the nonce package

Open fhartwig opened this issue 9 years ago • 3 comments

We're currently using nonces for user confirmation tokens, email reset tokens, session tokens etc. These are generated by genRandomBytes'P from Thentos.Action.Core. There is a new-ish package called nonce on hackage to generate nonces. Since nonce-generation is fairly easy to get wrong in fairly subtle ways (e.g. re-using nonces, generating insufficiently random nonces etc.), we might want to use that instead of rolling our own.

fhartwig avatar Jun 11 '15 10:06 fhartwig

see also #129. perhaps there is nonce functionality in cryptonite as well?

mf59816 avatar Jun 12 '15 07:06 mf59816

Cryptonite doesn't seem to do nonces. Also, nonce generation (i.e. randomness) seems to be the only thing that we use cryptonite for, so we could probably drop that dependency if we used the nonce package.

fhartwig avatar Jun 15 '15 09:06 fhartwig

make sense, but no (-:

  1. crypto-random, the dependency of nonce, is going to be replaced by cryptonite, so the thing to do would be to make nonce depend on cryptonite, not to make thentos depend on crypto-random again.
  2. i am expecting to depend on other features of cryptonite in the future.

mf59816 avatar Jun 15 '15 09:06 mf59816