Skip to content

Commit 0932634

Browse files
dchestdchest
committed
Generate tokens with CSPRNG
Package hat, used to generate session and some other tokens uses non-cryptographic random number generator. Replace it with the cryptographically secure one. The result has the same format (32-character hex string, 128 bits of entropy).
1 parent c66cc8d commit 0932634

File tree

2 files changed

+5
-6
lines changed

2 files changed

+5
-6
lines changed

src/RestWrite.js

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@
44

55
var crypto = require('crypto');
66
var deepcopy = require('deepcopy');
7-
var rack = require('hat').rack();
87

98
var Auth = require('./Auth');
109
var cache = require('./cache');
@@ -252,7 +251,7 @@ RestWrite.prototype.handleFacebookAuthData = function() {
252251
throw new Parse.Error(Parse.Error.ACCOUNT_ALREADY_LINKED,
253252
'this auth is already used');
254253
} else {
255-
this.data.username = rack();
254+
this.data.username = crypto.randomBytes(16).toString('hex');
256255
}
257256

258257
// This FB auth does not already exist, so transform it to a
@@ -273,7 +272,7 @@ RestWrite.prototype.transformUser = function() {
273272
var promise = Promise.resolve();
274273

275274
if (!this.query) {
276-
var token = 'r:' + rack();
275+
var token = 'r:' + crypto.randomBytes(16).toString('hex');
277276
this.storage['token'] = token;
278277
promise = promise.then(() => {
279278
var expiresAt = new Date();
@@ -412,7 +411,7 @@ RestWrite.prototype.handleSession = function() {
412411
}
413412

414413
if (!this.query && !this.auth.isMaster) {
415-
var token = 'r:' + rack();
414+
var token = 'r:' + crypto.randomBytes(16).toString('hex');
416415
var expiresAt = new Date();
417416
expiresAt.setFullYear(expiresAt.getFullYear() + 1);
418417
var sessionData = {

src/users.js

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
var mongodb = require('mongodb');
44
var Parse = require('parse/node').Parse;
5-
var rack = require('hat').rack();
5+
var crypto = require('crypto');
66

77
var Auth = require('./Auth');
88
var passwordCrypto = require('./password');
@@ -54,7 +54,7 @@ function handleLogIn(req) {
5454
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND,
5555
'Invalid username/password.');
5656
}
57-
var token = 'r:' + rack();
57+
var token = 'r:' + crypto.randomBytes(16).toString('hex');
5858
user.sessionToken = token;
5959
delete user.password;
6060

0 commit comments

Comments
 (0)