riebel
commented
5 years ago Thank you for your heads-up! I know this is a bad idea in general, but I just needed it to work somehow without using any native crypto library (which it does now). Right now Expo has no way of generating secure random bytes without detaching.
I know it is hacky and for my use case the secureRandom function only has to work and not be cryptographically strong. Webcrypto does not work here and I thought about renaming the function to unsecureRandom ;)
There are two things that should be fixed: the mentioned secureRandom and in sessionapi.js: sessionID: 1 //newSessionId(userDoc, info)
PRs are welcome.
Hi, I originally wrote pouchdb-auth and stumbled upon your fork. I like the idea of replacing the old crypto library with webcrypto APIs. When skimming the code I noticed your
secureRandomimplementation is backed byMath.random(), though, which is a bad idea security-wise. You might want to fix that.https://github.com/riebel/pouchdb-auth-webcrypto/blob/b44a89400683180001321ade97b05b45ee55ee36/lib/utils.js#L22