Skip to content

Commit 9be640c

Browse files
pimterrypimterry
committed
Use crypto random bytes instead of a UUID for auth tokens
Both should be equally secure, but UUID formatting is needlessly long and weird, it's an unnecessary dependency, and inefficient (it's 128 bits in theory, but 4 bites are constant so really just 122, and then we're including dashes for formatting as well, and hex is not efficient either). Moving to crypto+base64url lets us boost the key size (122 to 160 bit) and simultaneously shorten the token length. This also makes it clearer that we're using cryptographically secure random values (really it should been the same underlying source, but here we avoid hiding that away & trusting the uuid dep).
1 parent 5dfd6f0 commit 9be640c

File tree

3 files changed

+2
-38
lines changed

3 files changed

+2
-38
lines changed

package-lock.json

Lines changed: 0 additions & 34 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,6 @@
129129
"os-proxy-config": "^1.1.1",
130130
"rimraf": "^2.7.1",
131131
"semver": "^7.2.1",
132-
"uuid": "^3.3.3",
133132
"yargs": "^15.1.0"
134133
},
135134
"devDependencies": {
@@ -141,7 +140,6 @@
141140
"@types/semver": "^7.3.4",
142141
"@types/targz": "^1.0.0",
143142
"@types/universal-analytics": "^0.4.3",
144-
"@types/uuid": "^3.4.6",
145143
"@types/yargs": "^15.0.3",
146144
"babel-plugin-transform-async-to-generator": "^6.24.1",
147145
"babel-preset-env": "^1.7.0",

src/index.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,11 +8,11 @@ import * as os from 'os';
88
import { promises as fs, createWriteStream, WriteStream } from 'fs'
99
import * as net from 'net';
1010
import * as path from 'path';
11+
import * as crypto from 'crypto';
1112
import { promisify } from 'util';
1213
import * as querystring from 'querystring';
1314
import { URL } from 'url';
1415
import { app, BrowserWindow, shell, Menu, dialog, session, ipcMain } from 'electron';
15-
import * as uuid from 'uuid/v4';
1616
import * as yargs from 'yargs';
1717
import * as semver from 'semver';
1818
import * as rimraf from 'rimraf';
@@ -34,7 +34,7 @@ const packageJson = require('../package.json');
3434
const isWindows = os.platform() === 'win32';
3535

3636
const APP_URL = process.env.APP_URL || 'https://app.httptoolkit.tech';
37-
const AUTH_TOKEN = uuid();
37+
const AUTH_TOKEN = crypto.randomBytes(20).toString('base64url');
3838
const DESKTOP_VERSION = packageJson.version;
3939
const BUNDLED_SERVER_VERSION = packageJson.config['httptoolkit-server-version'];
4040
if (!semver.parse(BUNDLED_SERVER_VERSION)) {

0 commit comments

Comments
 (0)