Switched to nanoid for key generation

To try and prevent any security issues, use an external package to
generate key instead of doing it ourselves. Note: we have to use nanoid
version 3 as nanoid version 4 requires ESM. Currently, nanoid v3 is
still supported.

Signed-off-by: Matthew Nickson <mnickson@sidingsmedia.com>
pull/2558/head
Matthew Nickson 2 years ago
parent 11fa690e09
commit 669f8700b2
No known key found for this signature in database
GPG Key ID: BF229DCFD4748E05

5
package-lock.json generated

@ -45,6 +45,7 @@
"mqtt": "~4.3.7",
"mssql": "~8.1.4",
"mysql2": "~2.3.3",
"nanoid": "^3.3.4",
"node-cloudflared-tunnel": "~1.0.9",
"node-radius-client": "~1.0.0",
"nodemailer": "~6.6.5",
@ -14247,7 +14248,6 @@
"version": "3.3.4",
"resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
"integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
"dev": true,
"bin": {
"nanoid": "bin/nanoid.cjs"
},
@ -29825,8 +29825,7 @@
"nanoid": {
"version": "3.3.4",
"resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
"integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
"dev": true
"integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw=="
},
"native-duplexpair": {
"version": "1.0.0",

@ -103,6 +103,7 @@
"mqtt": "~4.3.7",
"mssql": "~8.1.4",
"mysql2": "~2.3.3",
"nanoid": "^3.3.4",
"node-cloudflared-tunnel": "~1.0.9",
"node-radius-client": "~1.0.0",
"nodemailer": "~6.6.5",

@ -1,7 +1,7 @@
const { checkLogin } = require("../util-server");
const { log } = require("../../src/util");
const { R } = require("redbean-node");
const crypto = require("crypto");
const { nanoid } = require("nanoid");
const passwordHash = require("../password-hash");
const apicache = require("../modules/apicache");
const APIKey = require("../model/api_key");
@ -17,7 +17,8 @@ module.exports.apiKeySocketHandler = (socket) => {
socket.on("addAPIKey", async (key, callback) => {
try {
checkLogin(socket);
let clearKey = crypto.randomBytes(32).toString("base64url");
let clearKey = nanoid(40);
let hashedKey = passwordHash.generate(clearKey);
key["key"] = hashedKey;
let bean = await APIKey.save(key, socket.userID);

Loading…
Cancel
Save