Merge pull request #73 from dchest/csprng

gfosco · gfosco · commit 251ec4d701da · 2016-02-01T10:02:12.000-08:00
Use CSPRNG to generate objectIds
diff --git a/RestWrite.js b/RestWrite.js
@@ -2,6 +2,7 @@
 // that writes to the database.
 // This could be either a "create" or an "update".
 
+var crypto = require('crypto');
 var deepcopy = require('deepcopy');
 var rack = require('hat').rack();
 
@@ -701,15 +702,18 @@ RestWrite.prototype.objectId = function() {
   return this.data.objectId || this.query.objectId;
 };
 
-// Returns a string that's usable as an object id.
-// Probably unique. Good enough? Probably!
+// Returns a unique string that's usable as an object id.
 function newObjectId() {
   var chars = ('ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
                'abcdefghijklmnopqrstuvwxyz' +
                '0123456789');
   var objectId = '';
-  for (var i = 0; i < 10; ++i) {
-    objectId += chars[Math.floor(Math.random() * chars.length)];
+  var bytes = crypto.randomBytes(10);
+  for (var i = 0; i < bytes.length; ++i) {
+    // Note: there is a slight modulo bias, because chars length
+    // of 62 doesn't divide the number of all bytes (256) evenly.
+    // It is acceptable for our purposes.
+    objectId += chars[bytes.readUInt8(i) % chars.length];
   }
   return objectId;
 }
