From 9a6f3607e59af5668d42b498b3d860af2d1903da Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Thu, 22 Dec 2011 16:30:21 -0800
Subject: [PATCH] added random seed in session context and in the process
 improved CSRF token entropy fixes #800

---
 lib/wsapi/session_context.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/wsapi/session_context.js b/lib/wsapi/session_context.js
index 3f250d531..8a4dd29a5 100644
--- a/lib/wsapi/session_context.js
+++ b/lib/wsapi/session_context.js
@@ -6,6 +6,7 @@ wsapi = require('../wsapi.js'),
 secrets = require('../secrets.js');
 
 // return the CSRF token, authentication status, and current server time (for assertion signing)
+// 2011-12-22: adding a random seed for keygen
 // IMPORTANT: this is safe because it's only readable by same-origin code
 
 exports.method = 'get';
@@ -22,9 +23,9 @@ exports.process = function(req, res) {
   }
 
   if (typeof req.session.csrf == 'undefined') {
-    // FIXME: using express-csrf's approach for generating randomness
-    // not awesome, but probably sufficient for now.
-    req.session.csrf = crypto.createHash('md5').update('' + new Date().getTime()).digest('hex');
+    // more random CSRF
+    // FIXME: async?
+    req.session.csrf = crypto.randomBytes(16).toString('base64');
     logger.debug("NEW csrf token created: " + req.session.csrf);
   }
 
@@ -35,7 +36,8 @@ exports.process = function(req, res) {
       csrf_token: req.session.csrf,
       server_time: (new Date()).getTime(),
       authenticated: auth_status,
-      domain_key_creation_time: domainKeyCreationDate.getTime()
+      domain_key_creation_time: domainKeyCreationDate.getTime(),
+      random_seed: crypto.randomBytes(32).toString('base64')
     });
   };
 
-- 
GitLab