Replace password generation with web-crypto API

in order to remove insecure RNG provided in `Math.random()` closes #64 Signed-off-by: Knut Ahlers <knut@ahlers.me>
2022-08-26 00:41:55 +02:00 · 2022-08-26 00:41:55 +02:00 · 10f9cb2a08
commit 10f9cb2a08
parent 279d87ceb1
1 changed files with 6 additions and 2 deletions
--- a/src/app.vue
+++ b/src/app.vue
@ -168,6 +168,9 @@
 import axios from 'axios'
 import AES from 'gibberish-aes/src/gibberish-aes'

+const passwordCharset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+const passwordLength = 20
+
 export default {
  name: 'App',

@ -212,8 +215,9 @@ export default {
  methods: {
    // createSecret executes the secret creation after encrypting the secret
    createSecret() {
-      this.securePassword = Math.random().toString(36)
-        .substring(2)
+      this.securePassword = [...window.crypto.getRandomValues(new Uint8Array(passwordLength))]
+        .map(n => passwordCharset[n % passwordCharset.length])
+        .join('')
      const secret = AES.enc(this.secret, this.securePassword)

      axios.post('api/create', { secret })