luzifer/ots
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Replace password generation with web-crypto API

Browse source 
in order to remove insecure RNG provided in `Math.random()`

closes #64

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2022-08-26 00:41:55 +02:00
parent 279d87ceb1
commit 10f9cb2a08
Signed by: luzifer
GPG key ID: 0066F03ED215AD7D
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/app.vue
View file

@ -168,6 +168,9 @@
import axios from 'axios' import axios from 'axios'
import AES from 'gibberish-aes/src/gibberish-aes' import AES from 'gibberish-aes/src/gibberish-aes'
const passwordCharset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
const passwordLength = 20
export default { export default {
name: 'App', name: 'App',
@ -212,8 +215,9 @@ export default {
methods: { methods: {
// createSecret executes the secret creation after encrypting the secret // createSecret executes the secret creation after encrypting the secret
createSecret() { createSecret() {
this.securePassword = Math.random().toString(36) this.securePassword = [...window.crypto.getRandomValues(new Uint8Array(passwordLength))]
.substring(2) .map(n => passwordCharset[n % passwordCharset.length])
.join('')
const secret = AES.enc(this.secret, this.securePassword) const secret = AES.enc(this.secret, this.securePassword)
axios.post('api/create', { secret }) axios.post('api/create', { secret })