Not use math.random for generating secrets

skoruba / Duende.IdentityServer.Admin

The administration for the Duende IdentityServer and Asp.Net Core Identity ⚡

Apache License 2.0

549 stars 194 forks source link

Not use math.random for generating secrets #126

Open hilmer-martin opened 1 year ago

hilmer-martin commented 1 year ago

Is your feature request related to a problem? Please describe. Currently a client_secret will be generated with Math.random. This is not recommended because it is not cryptographically secure.

Describe the solution you'd like The solution would be to use the crypto api instead.

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey

Describe alternatives you've considered

Additional context

skoruba commented 1 year ago

Thank you for your suggestion - are you interested to send a PR for it?

hilmer-martin commented 1 year ago

Yes, I will prepare one.

Thank you for your fast feedback.

I'll take code snippet from https://nicozerpa.com/never-use-math-random-for-passwords/ for secret generation.

Now I'm stuck on bundling (and testing) because of errors while running npm install

I will invest more time tomorrow.

skoruba commented 1 year ago

Very good, thanks for your time 👌🏻

rosenbach commented 1 year ago

I handed in a PR that would fix this: #153