From 669f8700b236cc7727b6485d5f6126ee6f88e233 Mon Sep 17 00:00:00 2001
From: Matthew Nickson <mnickson@sidingsmedia.com>
Date: Sun, 26 Feb 2023 19:36:50 +0000
Subject: [PATCH] Switched to nanoid for key generation

To try and prevent any security issues, use an external package to
generate key instead of doing it ourselves. Note: we have to use nanoid
version 3 as nanoid version 4 requires ESM. Currently, nanoid v3 is
still supported.

Signed-off-by: Matthew Nickson <mnickson@sidingsmedia.com>
---
 package-lock.json                                | 5 ++---
 package.json                                     | 1 +
 server/socket-handlers/api-key-socket-handler.js | 5 +++--
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5e57a9325..328043b6f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -45,6 +45,7 @@
                 "mqtt": "~4.3.7",
                 "mssql": "~8.1.4",
                 "mysql2": "~2.3.3",
+                "nanoid": "^3.3.4",
                 "node-cloudflared-tunnel": "~1.0.9",
                 "node-radius-client": "~1.0.0",
                 "nodemailer": "~6.6.5",
@@ -14247,7 +14248,6 @@
             "version": "3.3.4",
             "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
             "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
-            "dev": true,
             "bin": {
                 "nanoid": "bin/nanoid.cjs"
             },
@@ -29825,8 +29825,7 @@
         "nanoid": {
             "version": "3.3.4",
             "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz",
-            "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==",
-            "dev": true
+            "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw=="
         },
         "native-duplexpair": {
             "version": "1.0.0",
diff --git a/package.json b/package.json
index a3f6066b9..7b5facab2 100644
--- a/package.json
+++ b/package.json
@@ -103,6 +103,7 @@
         "mqtt": "~4.3.7",
         "mssql": "~8.1.4",
         "mysql2": "~2.3.3",
+        "nanoid": "^3.3.4",
         "node-cloudflared-tunnel": "~1.0.9",
         "node-radius-client": "~1.0.0",
         "nodemailer": "~6.6.5",
diff --git a/server/socket-handlers/api-key-socket-handler.js b/server/socket-handlers/api-key-socket-handler.js
index 546226f69..69b0b60de 100644
--- a/server/socket-handlers/api-key-socket-handler.js
+++ b/server/socket-handlers/api-key-socket-handler.js
@@ -1,7 +1,7 @@
 const { checkLogin } = require("../util-server");
 const { log } = require("../../src/util");
 const { R } = require("redbean-node");
-const crypto = require("crypto");
+const { nanoid } = require("nanoid");
 const passwordHash = require("../password-hash");
 const apicache = require("../modules/apicache");
 const APIKey = require("../model/api_key");
@@ -17,7 +17,8 @@ module.exports.apiKeySocketHandler = (socket) => {
     socket.on("addAPIKey", async (key, callback) => {
         try {
             checkLogin(socket);
-            let clearKey = crypto.randomBytes(32).toString("base64url");
+
+            let clearKey = nanoid(40);
             let hashedKey = passwordHash.generate(clearKey);
             key["key"] = hashedKey;
             let bean = await APIKey.save(key, socket.userID);