crypto-utils / uid-safe Goto Github PK

View Code? Open in Web Editor NEW

144.0 9.0 12.0 57 KB

URL and cookie safe UIDs

License: MIT License

JavaScript 100.00%

uid javascript nodejs

uid-safe's Introduction

uid-safe

URL and cookie safe UIDs

Create cryptographically secure UIDs safe for both cookie and URL usage. This is in contrast to modules such as uid2 whose UIDs are actually skewed due to the use of % and unnecessarily truncate the UID. Use this if you could still use UIDs with - and _ in them.

Installation

$ npm install uid-safe

API

var uid = require('uid-safe')

uid(byteLength, callback)

Asynchronously create a UID with a specific byte length. Because base64 encoding is used underneath, this is not the string length. For example, to create a UID of length 24, you want a byte length of 18.

uid(18, function (err, string) {
  if (err) throw err
  // do something with the string
})

uid(byteLength)

Asynchronously create a UID with a specific byte length and return a Promise.

Note: To use promises in Node.js prior to 0.12, promises must be "polyfilled" using global.Promise = require('bluebird').

uid(18).then(function (string) {
  // do something with the string
})

uid.sync(byteLength)

A synchronous version of above.

var string = uid.sync(18)

License

MIT

uid-safe's People

Contributors

Stargazers

Watchers

Forkers

kapouer magnitus- sgentle cainiao1989 caub sehrope interactdo rfox12 mgunther iq-scm seanpm2001

uid-safe's Issues

why must `/`, `+` and `=` be escaped?

I am not an expert on it and just curious about it. Why are these characters insecure? Thank you!

Doc Improvement

In the doc:

"To use promises, you must define a global Promise if necessary."

Maybe it's obvious for readers already familiar with Promises (especially in the context of a Node.js environment), but for those new to it, a tad more details would be helpful.

The way it is phrased right now, it makes it seem as if you are expected to implement this yourself.

Something like this might be more helpful:

"To use promises, a global Promise variable must be defined in your environment. This is not the case for current versions of Node.js, but it can be achieved with a polyfill like the one in the es6-promise project."

Will uid-safe always return the specific length(after base64)?

I saw a portion in the source code where = at the end of the string after base64 is replaced with an empty string. If that's the case should a specific length return of generated uids expected?

mz really needed?

Hi,

is it really needed require 'mz/crypto' ??

I mean, could module be rewritten doing the same job without install extra 600KB dependencies ?

Please update reference to repository

Hello,

In package.json I see:

"repository": "jonathanong/uid-safe",

But the real project homepage seems to be "crypto-utils/uid-safe/"

Can you please consider to update it ?

crypto.randomBytes

As I read from node docs here: http://nodejs.org/api/crypto.html#crypto_crypto_pseudorandombytes_size_callback it is stated that these may be predictable.

I think this module should use crypto.randomBytes instead.

UID-Safe potentially vulnerable to a predictable state

summary

Potentially vulnerable to an attack where entropy is exhausted and the library falls back to predictable random byte generation.

Code should warn the operator when entropy is exhausted to detect attack.

issue

The code tries crypto.randomBytes and silently falls back to crypto.pseudoRandomBytes which can happen if entropy is exhausted.

function randomBytes(length, callback) {
  crypto.randomBytes(length, function (err, buf) {
    if (!err) return callback(null, buf)
    crypto.pseudoRandomBytes(length, function (err, buf) {
      if (err) return callback(err)
      callback(null, buf)
    })
  })
}

Notes from crypto documentation:

NOTE: Will throw error or invoke callback with error, if there is not enough accumulated entropy to generate cryptographically strong data. In other words, crypto.randomBytes without callback will not block even if all entropy sources are drained.

[crypto.pseudoRandomBytes] Generates non-cryptographically strong pseudo-random data. The data returned will be unique if it is sufficiently long, but is not necessarily unpredictable. For this reason, the output of this function should never be used where unpredictability is important, such as in the generation of encryption keys.