Replace password generation with web-crypto API

in order to remove insecure RNG provided in `Math.random()`

closes #64

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2022-08-26 00:41:55 +02:00
parent 279d87ceb1
commit 10f9cb2a08
No known key found for this signature in database
GPG Key ID: 0066F03ED215AD7D

View File

@ -168,6 +168,9 @@
import axios from 'axios' import axios from 'axios'
import AES from 'gibberish-aes/src/gibberish-aes' import AES from 'gibberish-aes/src/gibberish-aes'
const passwordCharset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
const passwordLength = 20
export default { export default {
name: 'App', name: 'App',
@ -212,8 +215,9 @@ export default {
methods: { methods: {
// createSecret executes the secret creation after encrypting the secret // createSecret executes the secret creation after encrypting the secret
createSecret() { createSecret() {
this.securePassword = Math.random().toString(36) this.securePassword = [...window.crypto.getRandomValues(new Uint8Array(passwordLength))]
.substring(2) .map(n => passwordCharset[n % passwordCharset.length])
.join('')
const secret = AES.enc(this.secret, this.securePassword) const secret = AES.enc(this.secret, this.securePassword)
axios.post('api/create', { secret }) axios.post('api/create', { secret })