Open midnight-wonderer opened 1 year ago
Hello there
I audited the code because the interface is weird; generally, generating a secure random in javascript is a blocking operation, and fernet.js generate IVs without exposing the async interface.
Turns out you are using the blocking version of randomBytes (https://github.com/csquared/fernet.js/blob/2eaa1c/fernet.js#L49).
randomBytes
Consider switching to the promisified version.
const asyncRandomBytes = promisify(randomBytes); // declaration await asyncRandomBytes(128 / 8); // usage
But probably require a major version bump because the interface will be changed. What are your takes on this?
Hello there
I audited the code because the interface is weird; generally, generating a secure random in javascript is a blocking operation, and fernet.js generate IVs without exposing the async interface.
Turns out you are using the blocking version of
randomBytes
(https://github.com/csquared/fernet.js/blob/2eaa1c/fernet.js#L49).Consider switching to the promisified version.
But probably require a major version bump because the interface will be changed. What are your takes on this?