remove rndstr dependency

This dependency was unused in the client. The use of it in the server can be replaced entirely by the secureRndstr function, with some slight modifications. That function could probably be refactored a bit more as well.
2022-12-07 18:03:29 +01:00 · 2022-12-07 18:03:29 +01:00 · 0f3f42eb39
commit 0f3f42eb39
parent 71b976ec96
11 changed files with 20 additions and 47 deletions
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@ -91,7 +91,6 @@
 		"reflect-metadata": "0.1.13",
 		"rename": "1.0.4",
 		"require-all": "3.0.0",
-		"rndstr": "1.0.0",
 		"rss-parser": "3.12.0",
 		"sanitize-html": "2.7.0",
 		"semver": "7.3.7",
--- a/packages/backend/src/misc/secure-rndstr.ts
+++ b/packages/backend/src/misc/secure-rndstr.ts
@ -3,8 +3,7 @@ import * as crypto from 'node:crypto';
 const L_CHARS = '0123456789abcdefghijklmnopqrstuvwxyz';
 const LU_CHARS = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';

-export function secureRndstr(length = 32, useLU = true): string {
-	const chars = useLU ? LU_CHARS : L_CHARS;
+export function secureRndstrCustom(length = 32, chars: string): string {
 	const chars_len = chars.length;

 	let str = '';
@ -19,3 +18,8 @@ export function secureRndstr(length = 32, useLU = true): string {

 	return str;
 }
+
+export function secureRndstr(length = 32, useLU = true): string {
+	const chars = useLU ? LU_CHARS : L_CHARS;
+	return secureRndstrCustom(length, chars);
+}
--- a/packages/backend/src/server/api/common/inject-featured.ts
+++ b/packages/backend/src/server/api/common/inject-featured.ts
@ -1,7 +1,7 @@
-import rndstr from 'rndstr';
 import { DAY } from '@/const.js';
 import { Note } from '@/models/entities/note.js';
 import { User } from '@/models/entities/user.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { Notes, UserProfiles, NoteReactions } from '@/models/index.js';
 import { generateMutedUserQuery } from './generate-muted-user-query.js';
 import { generateBlockedUserQuery } from './generate-block-query.js';
@ -50,7 +50,7 @@ export async function injectFeatured(timeline: Note[], user?: User | null) {
 	// Pick random one
 	const featured = notes[Math.floor(Math.random() * notes.length)];

-	(featured as any)._featuredId_ = rndstr('a-z0-9', 8);
+	(featured as any)._featuredId_ = secureRndstr(8);

 	// Inject featured
 	timeline.splice(3, 0, featured);
--- a/packages/backend/src/server/api/endpoints/admin/emoji/add.ts
+++ b/packages/backend/src/server/api/endpoints/admin/emoji/add.ts
@ -1,4 +1,3 @@
-import rndstr from 'rndstr';
 import { publishBroadcastStream } from '@/services/stream.js';
 import { db } from '@/db/postgre.js';
 import { Emojis, DriveFiles } from '@/models/index.js';
@ -30,7 +29,7 @@ export default define(meta, paramDef, async (ps, me) => {

 	if (file == null) throw new ApiError('NO_SUCH_FILE');

-	const name = file.name.split('.')[0].match(/^[a-z0-9_]+$/) ? file.name.split('.')[0] : `_${rndstr('a-z0-9', 8)}_`;
+	const name = file.name.split('.')[0].match(/^[a-z0-9_]+$/) ? file.name.split('.')[0] : `_${genId()}_`;

 	const emoji = await Emojis.insert({
 		id: genId(),
--- a/packages/backend/src/server/api/endpoints/admin/invite.ts
+++ b/packages/backend/src/server/api/endpoints/admin/invite.ts
@ -1,6 +1,6 @@
-import rndstr from 'rndstr';
 import { RegistrationTickets } from '@/models/index.js';
 import { genId } from '@/misc/gen-id.js';
+import { secureRndstrCustom } from '@/misc/secure-rndstr.js';
 import define from '../../define.js';

 export const meta = {
@ -32,10 +32,8 @@ export const paramDef = {

 // eslint-disable-next-line import/no-default-export
 export default define(meta, paramDef, async () => {
-	const code = rndstr({
-		length: 8,
-		chars: '2-9A-HJ-NP-Z', // [0-9A-Z] w/o [01IO] (32 patterns)
-	});
+	// omit visually ambiguous zero and letter O as well as one and letter I
+	const code = secureRndstrCustom(8, '23456789ABCDEFGHJKLMNPQRSTUVWXYZ');

 	await RegistrationTickets.insert({
 		id: genId(),
--- a/packages/backend/src/server/api/endpoints/admin/reset-password.ts
+++ b/packages/backend/src/server/api/endpoints/admin/reset-password.ts
@ -1,5 +1,5 @@
 import bcrypt from 'bcryptjs';
-import rndstr from 'rndstr';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { Users, UserProfiles } from '@/models/index.js';
 import define from '../../define.js';

@ -43,7 +43,7 @@ export default define(meta, paramDef, async (ps) => {
 		throw new Error('cannot reset password of admin');
 	}

-	const passwd = rndstr('a-zA-Z0-9', 8);
+	const passwd = secureRndstr(8, true);

 	// Generate hash of password
 	const hash = bcrypt.hashSync(passwd);
--- a/packages/backend/src/server/api/endpoints/i/update-email.ts
+++ b/packages/backend/src/server/api/endpoints/i/update-email.ts
@ -1,7 +1,7 @@
-import rndstr from 'rndstr';
 import bcrypt from 'bcryptjs';
 import { publishMainStream } from '@/services/stream.js';
 import config from '@/config/index.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { Users, UserProfiles } from '@/models/index.js';
 import { sendEmail } from '@/services/send-email.js';
 import { validateEmailForAccount } from '@/services/validate-email-for-account.js';
@ -62,7 +62,7 @@ export default define(meta, paramDef, async (ps, user) => {
 	publishMainStream(user.id, 'meUpdated', iObj);

 	if (ps.email != null) {
-		const code = rndstr('a-z0-9', 16);
+		const code = secureRndstr(16);

 		await UserProfiles.update(user.id, {
 			emailVerifyCode: code,
--- a/packages/backend/src/server/api/endpoints/request-reset-password.ts
+++ b/packages/backend/src/server/api/endpoints/request-reset-password.ts
@ -1,9 +1,9 @@
-import rndstr from 'rndstr';
 import { IsNull } from 'typeorm';
 import config from '@/config/index.js';
 import { Users, UserProfiles, PasswordResetRequests } from '@/models/index.js';
 import { sendEmail } from '@/services/send-email.js';
 import { genId } from '@/misc/gen-id.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { DAY } from '@/const.js';
 import define from '../define.js';

@ -53,7 +53,7 @@ export default define(meta, paramDef, async (ps) => {
 		return;
 	}

-	const token = rndstr('a-z0-9', 64);
+	const token = secureRndstr(64);

 	await PasswordResetRequests.insert({
 		id: genId(),
--- a/packages/backend/src/server/api/private/signup.ts
+++ b/packages/backend/src/server/api/private/signup.ts
@ -1,11 +1,11 @@
 import Koa from 'koa';
-import rndstr from 'rndstr';
 import bcrypt from 'bcryptjs';
 import { fetchMeta } from '@/misc/fetch-meta.js';
 import { verifyHcaptcha, verifyRecaptcha } from '@/misc/captcha.js';
 import { Users, RegistrationTickets, UserPendings } from '@/models/index.js';
 import config from '@/config/index.js';
 import { sendEmail } from '@/services/send-email.js';
+import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { genId } from '@/misc/gen-id.js';
 import { validateEmailForAccount } from '@/services/validate-email-for-account.js';
 import { signup } from '../common/signup.js';
@ -69,7 +69,7 @@ export default async (ctx: Koa.Context) => {
 	}

 	if (instance.emailRequiredForSignup) {
-		const code = rndstr('a-z0-9', 16);
+		const code = secureRndstr(16);

 		// Generate hash of password
 		const salt = await bcrypt.genSalt(8);
--- a/packages/client/package.json
+++ b/packages/client/package.json
@ -50,7 +50,6 @@
 		"punycode": "2.1.1",
 		"qrcode": "1.5.1",
 		"reflect-metadata": "0.1.13",
-		"rndstr": "1.0.0",
 		"rollup": "2.75.7",
 		"sass": "1.53.0",
 		"seedrandom": "3.0.5",
--- a/yarn.lock
+++ b/yarn.lock
@ -3750,7 +3750,6 @@ __metadata:
    reflect-metadata: 0.1.13
    rename: 1.0.4
    require-all: 3.0.0
-    rndstr: 1.0.0
    rss-parser: 3.12.0
    sanitize-html: 2.7.0
    semver: 7.3.7
@ -4735,7 +4734,6 @@ __metadata:
    punycode: 2.1.1
    qrcode: 1.5.1
    reflect-metadata: 0.1.13
-    rndstr: 1.0.0
    rollup: 2.75.7
    sass: 1.53.0
    seedrandom: 3.0.5
@ -14292,13 +14290,6 @@ __metadata:
  languageName: node
  linkType: hard

-"rangestr@npm:0.0.1":
-  version: 0.0.1
-  resolution: "rangestr@npm:0.0.1"
-  checksum: d7e3233f43a196a513f0f6c6a8a0a46b3c0e5fff97ad4d0c45031ea7494a3785d5db36d36231609b416acddaf5fe464e2c74fcc7a8f4032af83e05af23c33700
-  languageName: node
-  linkType: hard
-
 "ratelimiter@npm:3.4.1":
  version: 3.4.1
  resolution: "ratelimiter@npm:3.4.1"
@ -14954,16 +14945,6 @@ __metadata:
  languageName: node
  linkType: hard

-"rndstr@npm:1.0.0":
-  version: 1.0.0
-  resolution: "rndstr@npm:1.0.0"
-  dependencies:
-    rangestr: 0.0.1
-    seedrandom: 2.4.2
-  checksum: 4eb485a72bbcdfdd8017888122eaa2fe391d92f5a426558ae523f485d7d0fee8a0122ed513955225aab9a034d6eb694d8fb034c612de0bfadf5f4734d592789d
-  languageName: node
-  linkType: hard
-
 "rollup@npm:2.75.7":
  version: 2.75.7
  resolution: "rollup@npm:2.75.7"
@ -15150,13 +15131,6 @@ __metadata:
  languageName: node
  linkType: hard

-"seedrandom@npm:2.4.2":
-  version: 2.4.2
-  resolution: "seedrandom@npm:2.4.2"
-  checksum: 09b4a2883e667601338964f86c000839f64ca8f811c41b4b425a03eabc5c4d243e09b5d15c29c3441cd61a384a316b02d341dbfaf3b0097b5973aa12544f9435
-  languageName: node
-  linkType: hard
-
 "seedrandom@npm:3.0.5":
  version: 3.0.5
  resolution: "seedrandom@npm:3.0.5"