Open ericelliott opened 8 years ago
Cool. Should we replace our random string util with this? Maybe our generators should also offer to generate the cookie secret? =)
Do the generators already generate a cookie secret? looks like https://github.com/keystonejs/generator-keystone/search?utf8=%E2%9C%93&q=cookieSecret&type=Code this.cookieSecret
is defined and then placed in the .env
file. Or is that not working?
@JedWatson does keystone-utils have to work in the browser as well? this affects the solution
Yes, but it uses Math.random()
to do it, which is not safe for this purpose. It should use a CSPRNG like crypto.randomBytes()
(used in node-csprng
).
I believe it's safe to use crypto.randomBytes()
in the browser using browserify and Webpack.
https://github.com/keystonejs/generator-keystone/blob/89419a6fb41b0cd744937f441c2d46229b775a30/app/index.js#L284 uses utils.randomString
and that's implemented using jed's own randomkey
package https://github.com/keystonejs/keystone-utils/blob/master/lib/index.js#L232 maybe the randomkey
package should be augmented to provide a CSPRNG option.
I'm inclined to simply use crypto.randomBytes
in the generator instead of changing the utils too much.
A CSPRNG random string generator with a CLI would be very useful for things like generating the cookie secret, etc...
Is something like that already available?
The current
Math.random()
implementation is quite weak, cryptographically speaking, and should not be used for those purposes.