-
Notifications
You must be signed in to change notification settings - Fork 228
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove bias when generating secrets #92
base: master
Are you sure you want to change the base?
Conversation
@markbao How likely will this change break downstream code? |
I can't speak to closed source uses of Speakeasy, but I could only find one usage with possibly breaking code, in an unforked, unstarred, unwatched repository: https://github.com/pefish/common-express/blob/f3e44569b8eeb6430b7c7856a71ef213050056e4/utils/GoogleAuthenticator.js. I used this search: https://github.com/search?utf8=%E2%9C%93&q=speakeasy+generateSecret+ascii&type=Code. |
Any reason this isn't merged, yet? |
index.js
Outdated
}; | ||
|
||
function encodeASCII (bytes, symbols) { | ||
var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghijklmnopqrstuvwxyz'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
T
appears twice. This is almost certainly a mistake (that existed before your PR). Replace second T
with Y
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see you added the j
. 💯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, I replaced the second T with a Y!
on an unrelated note, I stumbled across this myself earlier today and was super upset. Good job @pepve finding and fixing this! |
index.js
Outdated
}; | ||
|
||
function encodeASCII (bytes, symbols) { | ||
var set = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXTZabcdefghijklmnopqrstuvwxyz'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pepve FYI I merged this code into https://github.com/mlogan/squeakeasy and published the fork as a new npm module called |
Hi, thanks so much for this project! It's really helping me out. I looked over the code and found something that might be improved.
The way secrets were generated not all outcomes were equally likely. Here's wat happened:
So now I do this:
I hope this is all clear! Thanks in advance for looking at this.