All geek questions in one place

Creating unique tokens in NodeJS, Crypto Token authentication

Using nodejs and cryptography, right now when the user logs in, I generate an arbitrary authentication token:

var token = crypto.randomBytes(16).toString('hex');

I know this is unlikely, but there is a very small chance for two tokens to have the same value.

This means that the user can theoretically authenticate with another account.

Now I see two obvious methods for getting this:

  • When I generate a token, I query the user database and see a token with the same value already exists. If so, just generate Another. As you can see, this is not ideal since I am adding queries to the database.
  • Since each user has a unique username in my database, I could generate a random token using the username as the generator secret key. Thus, there are no two labels having the same value. Can
    crypto do it? It is safe?

How do you do this?

+5
source share
2 answers

It is too unlikely that this would happen by accident. I would not sacrifice performance to lock and check the database for it.

Consider this excerpt from Pro Git on the probability of collisions between SHA1 sums of 20 bytes:

Here is an example to give you an idea of ​​what it takes to get SHA-1. If all 6.5 billion people on Earth program, and every second each one wrote code that was equivalent to the whole history of the Linux kernel (1 million Git objects) and pushing it into one huge Git repository, it would take 5 years, until the storage contained enough objects, to have a 50% chance of a single collision of SHA-1 objects. There is a higher probability [for medium-sized projects] that each member of your development team will be attacked and killed by wolves in unrelated incidents that night.

If you are still worried about this possibility, you can use more random bytes instead of 16.

But with regards to your second idea: if you hadhed a random identifier with a username, then this hash might collide, like a random identifier. You haven’t decided anything.

+9
source

You should always add a UNIQUE to the database column. This will create an implicit index to improve the search for this column, and it will ensure that none of the two records ever have the same value. Thus, in the worst case, you will get a database exception, not a security violation.

In addition, depending on how often you need to create unique tokens, I find that in most cases it is great to use the database search during generation. If your column is indexed correctly, this will be a fairly quick query. Most databases are very scalable horizontally, so if you are creating the next Facebook, this is again an option. In addition, you will probably need to complete a request to verify the uniqueness of E-Mail.

Finally, if you are really concerned about performance, you can always pre-create one million unique tokens and save them in a separate database table for quick use. Just configure the procedure to periodically check its use and, if necessary, insert more entries into it. However, as pointed out by @MacroMan in the comments, this can have security implications if someone gets access to the list of pre-generated tokens, so this practice should be avoided.

-1
source

Source: https://habr.com/ru/post/1203500/

More articles:


All Articles