Better random (#213)
* randomString: generate a securely random string. Also, support lengths > 12 in case that's ever needed. This is used in at least one case (creating device tokens for users) where it seems important that the output is unpredictable. * Try harder to create unique usernames. The previous version added 16 bits of entropy to the username, which isn't all that much. Due to the birthday paradox, it would be enough to create ~256 users with the same prefix to get a collision. Trying that would probably fail later on, and not create security issues... but it just seems better to be on the safe side here.
This commit is contained in:
parent
c85b806bc1
commit
c9f3644988
|
@ -1,7 +1,11 @@
|
||||||
export const randomString = (length = 12) =>
|
// Returns a cryptographically random hexadecimal string of length `length`
|
||||||
Math.random()
|
// (thus containing 4*`length` bits of entropy).
|
||||||
.toString(16)
|
export const randomString = (length = 12) => {
|
||||||
.substring(2, length + 2)
|
const bytes = new Uint8Array(Math.ceil(length / 2))
|
||||||
|
crypto.getRandomValues(bytes)
|
||||||
|
const hex = bytes.reduce((s, b) => s + ('0' + b.toString(16)).slice(-2), '')
|
||||||
|
return hex.substring(0, length)
|
||||||
|
}
|
||||||
|
|
||||||
export function genHash(str: string) {
|
export function genHash(str: string) {
|
||||||
// xmur3
|
// xmur3
|
||||||
|
|
|
@ -42,8 +42,7 @@ export const createUser = functions
|
||||||
const name = cleanDisplayName(rawName)
|
const name = cleanDisplayName(rawName)
|
||||||
let username = cleanUsername(name)
|
let username = cleanUsername(name)
|
||||||
|
|
||||||
const sameNameUser = await getUserByUsername(username)
|
while (await getUserByUsername(username)) {
|
||||||
if (sameNameUser) {
|
|
||||||
username += randomString(4)
|
username += randomString(4)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user