diff --git a/README.md b/README.md index 1787c95..ea80007 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ POST /api/v1/key ### Verify uploaded key ``` -GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000 +GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c ``` ### Request key removal @@ -152,7 +152,7 @@ GET /api/v1/removeKey?keyId=b8e4105cc9dedc77 OR ?email=user@example.com ### Verify key removal ``` -GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000 +GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c ``` diff --git a/package.json b/package.json index 542682d..a54a8f1 100644 --- a/package.json +++ b/package.json @@ -21,7 +21,6 @@ "koa": "^1.2.0", "koa-router": "^5.4.0", "mongodb": "^2.1.20", - "node-uuid": "^1.4.7", "nodemailer": "^2.4.2", "nodemailer-openpgp": "^1.0.2", "npmlog": "^2.0.4", diff --git a/src/service/public-key.js b/src/service/public-key.js index b7f5adb..b240fac 100644 --- a/src/service/public-key.js +++ b/src/service/public-key.js @@ -18,7 +18,6 @@ 'use strict'; const util = require('./util'); -const uuid = require('node-uuid'); const tpl = require('../email/templates.json'); /** @@ -31,7 +30,7 @@ const tpl = require('../email/templates.json'); * { * name:'Jon Smith', * email:'jon@smith.com', - * nonce: "123e4567-e89b-12d3-a456-426655440000", // UUID v4 verifier used to prove ownership + * nonce: "6a314915c09368224b11df0feedbc53c", // random 32 char verifier used to prove ownership * verified: true // if the user ID has been verified * } * ], @@ -92,7 +91,7 @@ class PublicKey { yield this._mongo.remove({ fingerprint:key.fingerprint }, DB_TYPE); // generate nonces for verification for (let uid of key.userIds) { - uid.nonce = uuid.v4(); + uid.nonce = util.random(); } // persist new key let r = yield this._mongo.create(key, DB_TYPE); @@ -245,7 +244,7 @@ class PublicKey { return []; } if (email) { - let nonce = uuid.v4(); + let nonce = util.random(); yield this._mongo.update(query, { 'userIds.$.nonce':nonce }, DB_TYPE); let uid = key.userIds.find(u => u.email === email); uid.nonce = nonce; @@ -253,7 +252,7 @@ class PublicKey { } if (keyId) { for (let uid of key.userIds) { - let nonce = uuid.v4(); + let nonce = util.random(); yield this._mongo.update({ 'userIds.email':uid.email }, { 'userIds.$.nonce':nonce }, DB_TYPE); uid.nonce = nonce; } diff --git a/src/service/util.js b/src/service/util.js index a3d3fa5..7de9519 100644 --- a/src/service/util.js +++ b/src/service/util.js @@ -17,6 +17,8 @@ 'use strict'; +const crypto = require('crypto'); + /** * Checks for a valid string * @param {} data The input to be checked @@ -89,6 +91,17 @@ exports.throw = function(status, message) { throw err; }; +/** + * Generate a cryptographically secure random hex string. If no length is + * provided a 32 char hex string will be generated by default. + * @param {number} bytes (optional) The number of random bytes + * @return {string} The random bytes in hex (twice as long as bytes) + */ +exports.random = function(bytes) { + bytes = bytes || 16; + return crypto.randomBytes(bytes).toString('hex'); +}; + /** * Get the server's own origin host and protocol. Required for sending * verification links via email. If the PORT environmane variable diff --git a/test/unit/util-test.js b/test/unit/util-test.js index 496cc71..e8f9cf7 100644 --- a/test/unit/util-test.js +++ b/test/unit/util-test.js @@ -125,6 +125,16 @@ describe('Util Unit Tests', () => { }); }); + describe('random', () => { + it('should generate random 32 char hex string', () => { + expect(util.random().length).to.equal(32); + }); + + it('should generate random 16 char hex string', () => { + expect(util.random(8).length).to.equal(16); + }); + }); + describe('getOrigin', () => { it('should work', () => { expect(util.getOrigin({host:'h', protocol:'p'})).to.exist;