random string with CSPRNG

[ericelliott]

A CSPRNG random string generator with a CLI would be very useful for things like generating the cookie secret, etc...

Is something like that already available?

The current Math.random() implementation is quite weak, cryptographically speaking, and should not be used for those purposes.

[morenoh149]

https://github.com/jcoglan/node-csprng

[ericelliott]

Cool. Should we replace our random string util with this? Maybe our generators should also offer to generate the cookie secret? =)

[morenoh149]

Do the generators already generate a cookie secret? looks like https://github.com/keystonejs/generator-keystone/search?utf8=%E2%9C%93&q=cookieSecret&type=Code this.cookieSecret is defined and then placed in the .env file. Or is that not working?

[morenoh149]

@JedWatson does keystone-utils have to work in the browser as well? this affects the solution

[ericelliott]

Yes, but it uses Math.random() to do it, which is not safe for this purpose. It should use a CSPRNG like crypto.randomBytes() (used in node-csprng).

I believe it's safe to use crypto.randomBytes() in the browser using browserify and Webpack.

[morenoh149]

https://github.com/keystonejs/generator-keystone/blob/89419a6fb41b0cd744937f441c2d46229b775a30/app/index.js#L284 uses utils.randomString and that's implemented using jed's own randomkey package https://github.com/keystonejs/keystone-utils/blob/master/lib/index.js#L232 maybe the randomkey package should be augmented to provide a CSPRNG option.

I'm inclined to simply use crypto.randomBytes in the generator instead of changing the utils too much.