From 1167b06326d0e7c019bd98e7b86acc2be7121029 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Tue, 29 Nov 2011 12:54:15 -0800
Subject: [PATCH] added random generation from /dev/urandom to make
 email-verification tokens more secure

---
 lib/secrets.js | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/secrets.js b/lib/secrets.js
index 32adfcb6c..b2ad66e94 100644
--- a/lib/secrets.js
+++ b/lib/secrets.js
@@ -37,14 +37,32 @@ const
 path = require('path'),
 fs = require('fs'),
 jwk = require('jwcrypto/jwk'),
-jwt = require('jwcrypto/jwt');
+jwt = require('jwcrypto/jwt'),
+Buffer = require('buffer').Buffer;
+
+
+function randomBytes(length) {
+  var buf = new Buffer(length);
+  var fd = fs.openSync('/dev/urandom', 'r');
+  fs.readSync(fd, buf, 0, buf.length, 0);
+  fs.closeSync(fd);
+  return buf;
+}
+
+exports.randomBytes = randomBytes;
 
 exports.generate = function(chars) {
   var str = "";
   const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+  var bytes = randomBytes(chars);
+
+  // yes, we are biasing the output here a bit.
+  // I'm ok with that. We can improve this over time.
   for (var i=0; i < chars; i++) {
-    str += alphabet.charAt(Math.floor(Math.random() * alphabet.length));
+    str += alphabet.charAt(bytes[i] % alphabet.length);
   }
+  
   return str;
 }
 
-- 
GitLab