From ca31bba5200f244888f79903cefdff12e0a47741 Mon Sep 17 00:00:00 2001
From: laraproto <laraproto@proton.me>
Date: Sat, 2 Nov 2024 17:03:32 +0200
Subject: [PATCH] use cryptographically secure random bytes instead of uuid

---
 backend/src/data/ApiLogins.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/src/data/ApiLogins.ts b/backend/src/data/ApiLogins.ts
index 94ffac7d..1c858839 100644
--- a/backend/src/data/ApiLogins.ts
+++ b/backend/src/data/ApiLogins.ts
@@ -7,6 +7,7 @@ import { DAYS, DBDateFormat } from "../utils";
 import { BaseRepository } from "./BaseRepository";
 import { dataSource } from "./dataSource";
 import { ApiLogin } from "./entities/ApiLogin";
+import { randomBytes } from "node:crypto";
 
 const LOGIN_EXPIRY_TIME = 1 * DAYS;
 
@@ -48,7 +49,7 @@ export class ApiLogins extends BaseRepository {
     // Generate random login id
     let loginId;
     while (true) {
-      loginId = uuidv4();
+      loginId = randomBytes(64).toString("hex");
       const existing = await this.apiLogins.findOne({
         where: {
           id: loginId,
@@ -58,7 +59,7 @@ export class ApiLogins extends BaseRepository {
     }
 
     // Generate token
-    const token = uuidv4();
+    const token = randomBytes(64).toString("hex");
     const hash = crypto.createHash("sha256");
     hash.update(loginId + token); // Use loginId as a salt
     const hashedToken = hash.digest("hex");