Switched to nanoid for key generation

To try and prevent any security issues, use an external package to generate key instead of doing it ourselves. Note: we have to use nanoid version 3 as nanoid version 4 requires ESM. Currently, nanoid v3 is still supported. Signed-off-by: Matthew Nickson <mnickson@sidingsmedia.com>
1 year ago · 669f8700b2
parent 11fa690e09
commit 669f8700b2
3 changed files with 6 additions and 5 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -45,6 +45,7 @@
                "mqtt": "~4.3.7",
                "mssql": "~8.1.4",
                "mysql2": "~2.3.3",
+                "nanoid": "^3.3.4",
                "node-cloudflared-tunnel": "~1.0.9",
                "node-radius-client": "~1.0.0",
                "nodemailer": "~6.6.5",
@ -14247,7 +14248,6 @@
            "version": "3.3.4",
            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
            "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
-            "dev": true,
            "bin": {
                "nanoid": "bin/nanoid.cjs"
            },
@ -29825,8 +29825,7 @@
        "nanoid": {
            "version": "3.3.4",
            "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
-            "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
-            "dev": true
+            "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw=="
        },
        "native-duplexpair": {
            "version": "1.0.0",
--- a/package.json
+++ b/package.json
@ -103,6 +103,7 @@
        "mqtt": "~4.3.7",
        "mssql": "~8.1.4",
        "mysql2": "~2.3.3",
+        "nanoid": "^3.3.4",
        "node-cloudflared-tunnel": "~1.0.9",
        "node-radius-client": "~1.0.0",
        "nodemailer": "~6.6.5",
--- a/server/socket-handlers/api-key-socket-handler.js
+++ b/server/socket-handlers/api-key-socket-handler.js
@ -1,7 +1,7 @@
 const { checkLogin } = require("../util-server");
 const { log } = require("../../src/util");
 const { R } = require("redbean-node");
-const crypto = require("crypto");
+const { nanoid } = require("nanoid");
 const passwordHash = require("../password-hash");
 const apicache = require("../modules/apicache");
 const APIKey = require("../model/api_key");
@ -17,7 +17,8 @@ module.exports.apiKeySocketHandler = (socket) => {
    socket.on("addAPIKey", async (key, callback) => {
        try {
            checkLogin(socket);
-            let clearKey = crypto.randomBytes(32).toString("base64url");
+
+            let clearKey = nanoid(40);
            let hashedKey = passwordHash.generate(clearKey);
            key["key"] = hashedKey;
            let bean = await APIKey.save(key, socket.userID);