Use random hex string instead of uuid for nonce

README.md

@@ -132,7 +132,7 @@ POST /api/v1/key
 ### Verify uploaded key
 
 ```
-GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000
+GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c
 ```
 
 ### Request key removal
@@ -152,7 +152,7 @@ GET /api/v1/removeKey?keyId=b8e4105cc9dedc77 OR ?email=user@example.com
 ### Verify key removal
 
 ```
-GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000
+GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c
 ```
 
 

package.json

@@ -21,7 +21,6 @@
     "koa": "^1.2.0",
     "koa-router": "^5.4.0",
     "mongodb": "^2.1.20",
-    "node-uuid": "^1.4.7",
     "nodemailer": "^2.4.2",
     "nodemailer-openpgp": "^1.0.2",
     "npmlog": "^2.0.4",

src/service/public-key.js

@@ -18,7 +18,6 @@
 'use strict';
 
 const util = require('./util');
-const uuid = require('node-uuid');
 const tpl = require('../email/templates.json');
 
 /**
@@ -31,7 +30,7 @@ const tpl = require('../email/templates.json');
  *     {
  *       name:'Jon Smith',
  *       email:'jon@smith.com',
- *       nonce: "123e4567-e89b-12d3-a456-426655440000", // UUID v4 verifier used to prove ownership
+ *       nonce: "6a314915c09368224b11df0feedbc53c", // random 32 char verifier used to prove ownership
  *       verified: true // if the user ID has been verified
  *     }
  *   ],
@@ -92,7 +91,7 @@ class PublicKey {
     yield this._mongo.remove({ fingerprint:key.fingerprint }, DB_TYPE);
     // generate nonces for verification
     for (let uid of key.userIds) {
-      uid.nonce = uuid.v4();
+      uid.nonce = util.random();
     }
     // persist new key
     let r = yield this._mongo.create(key, DB_TYPE);
@@ -245,7 +244,7 @@ class PublicKey {
       return [];
     }
     if (email) {
-      let nonce = uuid.v4();
+      let nonce = util.random();
       yield this._mongo.update(query, { 'userIds.$.nonce':nonce }, DB_TYPE);
       let uid = key.userIds.find(u => u.email === email);
       uid.nonce = nonce;
@@ -253,7 +252,7 @@ class PublicKey {
     }
     if (keyId) {
       for (let uid of key.userIds) {
-        let nonce = uuid.v4();
+        let nonce = util.random();
         yield this._mongo.update({ 'userIds.email':uid.email }, { 'userIds.$.nonce':nonce }, DB_TYPE);
         uid.nonce = nonce;
       }

src/service/util.js

@@ -17,6 +17,8 @@
 
 'use strict';
 
+const crypto = require('crypto');
+
 /**
  * Checks for a valid string
  * @param  {} data     The input to be checked
@@ -89,6 +91,17 @@ exports.throw = function(status, message) {
   throw err;
 };
 
+/**
+ * Generate a cryptographically secure random hex string. If no length is
+ * provided a 32 char hex string will be generated by default.
+ * @param  {number} bytes   (optional) The number of random bytes
+ * @return {string}         The random bytes in hex (twice as long as bytes)
+ */
+exports.random = function(bytes) {
+  bytes = bytes || 16;
+  return crypto.randomBytes(bytes).toString('hex');
+};
+
 /**
  * Get the server's own origin host and protocol. Required for sending
  * verification links via email. If the PORT environmane variable

test/unit/util-test.js

@@ -125,6 +125,16 @@ describe('Util Unit Tests', () => {
     });
   });
 
+  describe('random', () => {
+    it('should generate random 32 char hex string', () => {
+      expect(util.random().length).to.equal(32);
+    });
+
+    it('should generate random 16 char hex string', () => {
+      expect(util.random(8).length).to.equal(16);
+    });
+  });
+
   describe('getOrigin', () => {
     it('should work', () => {
       expect(util.getOrigin({host:'h', protocol:'p'})).to.exist;