Use random hex string instead of uuid for nonce

This commit is contained in:
Tankred Hase 2016-06-10 10:44:26 +02:00
parent 9cdbfeae87
commit 405bb84ca6
5 changed files with 29 additions and 8 deletions

View File

@ -132,7 +132,7 @@ POST /api/v1/key
### Verify uploaded key
```
GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000
GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c
```
### Request key removal
@ -152,7 +152,7 @@ GET /api/v1/removeKey?keyId=b8e4105cc9dedc77 OR ?email=user@example.com
### Verify key removal
```
GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000
GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c
```

View File

@ -21,7 +21,6 @@
"koa": "^1.2.0",
"koa-router": "^5.4.0",
"mongodb": "^2.1.20",
"node-uuid": "^1.4.7",
"nodemailer": "^2.4.2",
"nodemailer-openpgp": "^1.0.2",
"npmlog": "^2.0.4",

View File

@ -18,7 +18,6 @@
'use strict';
const util = require('./util');
const uuid = require('node-uuid');
const tpl = require('../email/templates.json');
/**
@ -31,7 +30,7 @@ const tpl = require('../email/templates.json');
* {
* name:'Jon Smith',
* email:'jon@smith.com',
* nonce: "123e4567-e89b-12d3-a456-426655440000", // UUID v4 verifier used to prove ownership
* nonce: "6a314915c09368224b11df0feedbc53c", // random 32 char verifier used to prove ownership
* verified: true // if the user ID has been verified
* }
* ],
@ -92,7 +91,7 @@ class PublicKey {
yield this._mongo.remove({ fingerprint:key.fingerprint }, DB_TYPE);
// generate nonces for verification
for (let uid of key.userIds) {
uid.nonce = uuid.v4();
uid.nonce = util.random();
}
// persist new key
let r = yield this._mongo.create(key, DB_TYPE);
@ -245,7 +244,7 @@ class PublicKey {
return [];
}
if (email) {
let nonce = uuid.v4();
let nonce = util.random();
yield this._mongo.update(query, { 'userIds.$.nonce':nonce }, DB_TYPE);
let uid = key.userIds.find(u => u.email === email);
uid.nonce = nonce;
@ -253,7 +252,7 @@ class PublicKey {
}
if (keyId) {
for (let uid of key.userIds) {
let nonce = uuid.v4();
let nonce = util.random();
yield this._mongo.update({ 'userIds.email':uid.email }, { 'userIds.$.nonce':nonce }, DB_TYPE);
uid.nonce = nonce;
}

View File

@ -17,6 +17,8 @@
'use strict';
const crypto = require('crypto');
/**
* Checks for a valid string
* @param {} data The input to be checked
@ -89,6 +91,17 @@ exports.throw = function(status, message) {
throw err;
};
/**
* Generate a cryptographically secure random hex string. If no length is
* provided a 32 char hex string will be generated by default.
* @param {number} bytes (optional) The number of random bytes
* @return {string} The random bytes in hex (twice as long as bytes)
*/
exports.random = function(bytes) {
bytes = bytes || 16;
return crypto.randomBytes(bytes).toString('hex');
};
/**
* Get the server's own origin host and protocol. Required for sending
* verification links via email. If the PORT environmane variable

View File

@ -125,6 +125,16 @@ describe('Util Unit Tests', () => {
});
});
describe('random', () => {
it('should generate random 32 char hex string', () => {
expect(util.random().length).to.equal(32);
});
it('should generate random 16 char hex string', () => {
expect(util.random(8).length).to.equal(16);
});
});
describe('getOrigin', () => {
it('should work', () => {
expect(util.getOrigin({host:'h', protocol:'p'})).to.exist;