From 4d6545e66feb0e7ec53c76a3bf0247c1c3629dd4 Mon Sep 17 00:00:00 2001
From: gumi <git@gumi.ca>
Date: Tue, 31 Mar 2020 14:36:40 -0400
Subject: add support for nanoid for session tokens

---
 src/routers/vault/types/Session.js | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

(limited to 'src/routers/vault/types/Session.js')

diff --git a/src/routers/vault/types/Session.js b/src/routers/vault/types/Session.js
index 59737b3..d1b3943 100644
--- a/src/routers/vault/types/Session.js
+++ b/src/routers/vault/types/Session.js
@@ -1,8 +1,15 @@
-const uuidv4 = require("uuid/v4");
+const nanoid = require("nanoid");
+const dictionaries = require("nanoid-dictionary");
 const Identity = require("./Identity.js");
 const EvolAccount = require("./EvolAccount.js");
 const LegacyAccount = require("./LegacyAccount.js");
 
+/** custom nanoid generators */
+const newToken = {
+    n23: nanoid.customAlphabet(dictionaries.nolookalikes, 23),
+    n36: () => nanoid.nanoid(36),
+};
+
 /**
  * holds a cache of all the user data fetched from SQL
  */
@@ -72,18 +79,26 @@ module.exports = class Session {
     constructor (ip, email) {
         this.ip = ip;
         this.email = email.toLowerCase();
-        this.secret = uuidv4();
+        this.secret = newToken.n36();
+    }
+
+    /**
+     * generate a secure unique token that is shared with the end-user.
+     * excludes lookalike characters but is still stronger than uuidv4
+     * @param {number} - the token length
+     */
+    static async generateToken () {
+        return newToken.n23();
     }
 
     /**
      * serialize for sending over the network
-     * @param {*} key
      */
-    toJSON (key) {
+    toJSON () {
         return {
             expires: this.expires,
             identity: this.identity.id,
-        }
+        };
     }
 
     /**
-- 
cgit v1.2.3-70-g09d2