perf(crypto): optimize CPU usage by switching to randomUUID and SHA-1

jujaga · jujaga · commit 29dba251b803 · 2026-03-20T00:54:58.000-07:00
- Replace synchronous randomBytes with randomUUID for CSP nonces
- Lazy-load CSP nonces using a property getter
- Switch from SHA-256 to SHA-1 for faster internal key and schema caching

Signed-off-by: Jeremy Ho &lt;jujaga@gmail.com&gt;
diff --git a/src/app.ts b/src/app.ts
@@ -2,7 +2,7 @@ import compression from 'compression';
 import cors from 'cors';
 import express from 'express';
 import helmet from 'helmet';
-import { randomBytes } from 'node:crypto';
+import { randomUUID } from 'node:crypto';
 import { rateLimit } from 'express-rate-limit';
 import favicon from 'serve-favicon';
 
@@ -46,7 +46,15 @@ app.use(express.json());
 app.use(express.urlencoded());
 app.use(favicon('src/public/favicon.ico'));
 app.use((_req: Request, res: Response<unknown, LocalContext>, next: NextFunction): void => {
-  res.locals.cspNonce = randomBytes(32).toString('hex');
+  let nonce: string | undefined;
+  Object.defineProperty(res.locals, 'cspNonce', {
+    get() {
+      nonce ??= randomUUID();
+      return nonce;
+    },
+    enumerable: true,
+    configurable: true
+  });
   next();
 });
 app.use(helmet());
diff --git a/src/services/helpers/lruCache.ts b/src/services/helpers/lruCache.ts
@@ -34,7 +34,7 @@ export async function cacheableRead<TB extends keyof DB, ID extends OperandValue
   const reader = (pk: ID) => repo.read(pk).executeTakeFirstOrThrow();
   if (!cacheEnabled) return await reader(id);
 
-  const hash = createHash('sha256').update(stringify(id)).digest('hex');
+  const hash = createHash('sha1').update(stringify(id)).digest('hex');
   return cacheWrapper(`${repo.tableName}:${hash}`, reader, id);
 }
 
@@ -55,7 +55,7 @@ export function cacheableUpsert<TB extends keyof DB>(
 ): Promise<Selectable<DB[TB]>> {
   if (!cacheEnabled) return findWhereOrUpsert(repo, data);
 
-  const hash = createHash('sha256').update(stringify(data)).digest('hex');
+  const hash = createHash('sha1').update(stringify(data)).digest('hex');
   return cacheWrapper(`${repo.tableName}:${hash}`, findWhereOrUpsert, repo, data);
 }
 
diff --git a/src/validators/schema/schema.ts b/src/validators/schema/schema.ts
@@ -43,7 +43,7 @@ export function createAjvInstance(opts?: Options): Ajv {
 export function ensureSchemaId(schema: AnySchemaObject): AnySchemaObject {
   if (schema.$id) return schema;
 
-  const hash = createHash('sha256').update(stringify(schema)).digest('hex');
+  const hash = createHash('sha1').update(stringify(schema)).digest('hex');
   return { $id: `schema:${hash}`, ...schema };
 }
 
diff --git a/tests/unit/services/helpers/lruCache.test.ts b/tests/unit/services/helpers/lruCache.test.ts
@@ -49,13 +49,13 @@ describe('cacheableRead', () => {
     expect(result).toEqual(readResult);
     expect(repo.read).toHaveBeenCalledWith('2.0.0');
 
-    const cacheKey = `pies.version:${createHash('sha256').update(stringify('2.0.0')).digest('hex')}`;
+    const cacheKey = `pies.version:${createHash('sha1').update(stringify('2.0.0')).digest('hex')}`;
     expect(lruCache.get(cacheKey)).toEqual(readResult);
   });
 
   it('returns cached result if available', async () => {
     const cachedResult = { id: '3.0.0' };
-    const cacheKey = `pies.version:${createHash('sha256').update(stringify('3.0.0')).digest('hex')}`;
+    const cacheKey = `pies.version:${createHash('sha1').update(stringify('3.0.0')).digest('hex')}`;
     lruCache.set(cacheKey, cachedResult);
 
     const result = await cacheableRead(repo, '3.0.0', true);
@@ -103,7 +103,7 @@ describe('cacheableUpsert', () => {
     expect(repo.upsert).toHaveBeenCalledWith(mockData);
 
     // Check cache
-    const cacheKey = `pies.version:${createHash('sha256').update(stringify(mockData)).digest('hex')}`;
+    const cacheKey = `pies.version:${createHash('sha1').update(stringify(mockData)).digest('hex')}`;
     expect(lruCache.get(cacheKey)).toEqual(upsertResult);
   });
 });
diff --git a/tests/unit/validators/schema/schema.test.ts b/tests/unit/validators/schema/schema.test.ts
@@ -43,8 +43,8 @@ describe('ensureSchemaId', () => {
 
     const result = ensureSchemaId(input);
 
-    // Verify format: "schema:" followed by a 64-character hex hash (SHA-256)
-    expect(result.$id).toMatch(/^schema:[a-f0-9]{64}$/);
+    // Verify format: "schema:" followed by a 40-character hex hash (SHA-1)
+    expect(result.$id).toMatch(/^schema:[a-f0-9]{40}$/);
     expect(result.type).toBe('object');
   });
 

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ export async function cacheableRead<TB extends keyof DB, ID extends OperandValue`
`34`	`34`	`const reader = (pk: ID) => repo.read(pk).executeTakeFirstOrThrow();`
`35`	`35`	`if (!cacheEnabled) return await reader(id);`
`36`	`36`
`37`		`- const hash = createHash('sha256').update(stringify(id)).digest('hex');`
	`37`	`+ const hash = createHash('sha1').update(stringify(id)).digest('hex');`
`38`	`38`	return cacheWrapper(`${repo.tableName}:${hash}`, reader, id);
`39`	`39`	`}`
`40`	`40`
`@@ -55,7 +55,7 @@ export function cacheableUpsert<TB extends keyof DB>(`
`55`	`55`	`): Promise<Selectable<DB[TB]>> {`
`56`	`56`	`if (!cacheEnabled) return findWhereOrUpsert(repo, data);`
`57`	`57`
`58`		`- const hash = createHash('sha256').update(stringify(data)).digest('hex');`
	`58`	`+ const hash = createHash('sha1').update(stringify(data)).digest('hex');`
`59`	`59`	return cacheWrapper(`${repo.tableName}:${hash}`, findWhereOrUpsert, repo, data);
`60`	`60`	`}`
`61`	`61`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ export function createAjvInstance(opts?: Options): Ajv {`
`43`	`43`	`export function ensureSchemaId(schema: AnySchemaObject): AnySchemaObject {`
`44`	`44`	`if (schema.$id) return schema;`
`45`	`45`
`46`		`- const hash = createHash('sha256').update(stringify(schema)).digest('hex');`
	`46`	`+ const hash = createHash('sha1').update(stringify(schema)).digest('hex');`
`47`	`47`	return { $id: `schema:${hash}`, ...schema };
`48`	`48`	`}`
`49`	`49`