Use random hex string instead of uuid for nonce

2016-06-10 10:44:26 +02:00 · 2016-06-10 10:44:26 +02:00 · 405bb84ca6
commit 405bb84ca6
parent 9cdbfeae87
5 changed files with 29 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -132,7 +132,7 @@ POST /api/v1/key
 ### Verify uploaded key
 ```
-GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000
+GET /api/v1/verify?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c
 ```
 ### Request key removal
@ -152,7 +152,7 @@ GET /api/v1/removeKey?keyId=b8e4105cc9dedc77 OR ?email=user@example.com
 ### Verify key removal
 ```
-GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=123e4567-e89b-12d3-a456-426655440000
+GET /api/v1/verifyRemove?keyId=b8e4105cc9dedc77&nonce=6a314915c09368224b11df0feedbc53c
 ```
--- a/package.json
+++ b/package.json
@ -21,7 +21,6 @@
    "koa": "^1.2.0",
    "koa-router": "^5.4.0",
    "mongodb": "^2.1.20",
    "node-uuid": "^1.4.7",
    "nodemailer": "^2.4.2",
    "nodemailer-openpgp": "^1.0.2",
    "npmlog": "^2.0.4",
--- a/src/service/public-key.js
+++ b/src/service/public-key.js
@ -18,7 +18,6 @@
 'use strict';
 const util = require('./util');
 const uuid = require('node-uuid');
 const tpl = require('../email/templates.json');
 /**
@ -31,7 +30,7 @@ const tpl = require('../email/templates.json');
 *     {
 *       name:'Jon Smith',
 *       email:'jon@smith.com',
- *       nonce: "123e4567-e89b-12d3-a456-426655440000", // UUID v4 verifier used to prove ownership
+ *       nonce: "6a314915c09368224b11df0feedbc53c", // random 32 char verifier used to prove ownership
 *       verified: true // if the user ID has been verified
 *     }
 *   ],
@ -92,7 +91,7 @@ class PublicKey {
    yield this._mongo.remove({ fingerprint:key.fingerprint }, DB_TYPE);
    // generate nonces for verification
    for (let uid of key.userIds) {
-      uid.nonce = uuid.v4();
+      uid.nonce = util.random();
    }
    // persist new key
    let r = yield this._mongo.create(key, DB_TYPE);
@ -245,7 +244,7 @@ class PublicKey {
      return [];
    }
    if (email) {
-      let nonce = uuid.v4();
+      let nonce = util.random();
      yield this._mongo.update(query, { 'userIds.$.nonce':nonce }, DB_TYPE);
      let uid = key.userIds.find(u => u.email === email);
      uid.nonce = nonce;
@ -253,7 +252,7 @@ class PublicKey {
    }
    if (keyId) {
      for (let uid of key.userIds) {
-        let nonce = uuid.v4();
+        let nonce = util.random();
        yield this._mongo.update({ 'userIds.email':uid.email }, { 'userIds.$.nonce':nonce }, DB_TYPE);
        uid.nonce = nonce;
      }
--- a/src/service/util.js
+++ b/src/service/util.js
@ -17,6 +17,8 @@
 'use strict';
 const crypto = require('crypto');
 /**
 * Checks for a valid string
 * @param  {} data     The input to be checked
@ -89,6 +91,17 @@ exports.throw = function(status, message) {
  throw err;
 };
 /**
 * Generate a cryptographically secure random hex string. If no length is
 * provided a 32 char hex string will be generated by default.
 * @param  {number} bytes   (optional) The number of random bytes
 * @return {string}         The random bytes in hex (twice as long as bytes)
 */
 exports.random = function(bytes) {
  bytes = bytes || 16;
  return crypto.randomBytes(bytes).toString('hex');
 };
 /**
 * Get the server's own origin host and protocol. Required for sending
 * verification links via email. If the PORT environmane variable
--- a/test/unit/util-test.js
+++ b/test/unit/util-test.js
@ -125,6 +125,16 @@ describe('Util Unit Tests', () => {
    });
  });
  describe('random', () => {
    it('should generate random 32 char hex string', () => {
      expect(util.random().length).to.equal(32);
    });
    it('should generate random 16 char hex string', () => {
      expect(util.random(8).length).to.equal(16);
    });
  });
  describe('getOrigin', () => {
    it('should work', () => {
      expect(util.getOrigin({host:'h', protocol:'p'})).to.exist;