Use cryptographically-secure random number generator

[AndriiDubonos]

Current implementation for OTP generation use Math.random() for random number generation.
It's pseudo-random and should not be used as a number generator in security environment.

be-user-service/src/services/otp.ts

Line 31 in b45a0e2

const value: number = Math.floor(1000 + Math.random() * 9000)

[yaroslav73]

But cryptographically-secure is... pseudo-random also 🙃

[nyckyta]

I believe the point here is that it is possible to predict values from crypto insecure generator by observing long enough sequence of previously generated values . In other words, when intruder is able to observe sequence of generated values (even expired one), then he can derive the state of generator from them and thus to start to generate its own values that will be accepcted by the system. As a result, it will compromise users security.

This issue does not appear when you use cryptographically safe algo as doc states.

[alinkedd]

Related to diia-open-source/be-auth-service#1

[includesec-erik]

FYI @AndriiDubonos this issue would be closed if this PR is accepted:
#99

[ghost]

Hi @AndriiDubonos
Thank you for your attention. This is a duplicate issue: diia-open-source/be-auth-service#1. Let's close this issue as a duplicate. Follow up on updates on issues that were opened earlier.