fix: improve password security

ethibox · Jul 24, 2023 · f336745 · f336745
1 parent 164e0ec
commit f336745
Showing 1 changed file with 16 additions and 12 deletions.
diff --git a/lib/utils.js b/lib/utils.js
@@ -1,5 +1,6 @@
 import 'dotenv/config';
 import dns from 'dns';
+import crypto from 'crypto';
 import isEmail from 'validator/lib/isEmail';
 import blocklist from '@lib/blocklist.json';
 import { Op, User, App } from '@lib/orm';
@@ -105,17 +106,20 @@ export const checkDomain = async (domain) => {
 };
 
 export const generatePassword = () => {
+    const length = 12;
     const symbols = '!@%&*_+';
-    const uppercase = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
-    const lowercase = 'abcdefghijklmnopqrstuvwxyz';
-    const numbers = '0123456789';
-    const all = `${symbols}${uppercase}${numbers}${lowercase}`;
-
-    const password = [
-        symbols[Math.floor(Math.random() * symbols.length)],
-        uppercase[Math.floor(Math.random() * uppercase.length)],
-        numbers[Math.floor(Math.random() * numbers.length)],
-    ].join('') + [...Array(9)].map(() => all[Math.floor(Math.random() * all.length)]).join('');
-
-    return password.split('').sort(() => Math.random() - 0.5).join('');
+    const charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@%&*_+';
+    const randomBytes = crypto.randomBytes(length);
+
+    let password = Array.from(randomBytes).map((byte) => charset[byte % charset.length]).join('');
+
+    if (password === password.toLowerCase()) {
+        password = password.slice(0, length - 1) + String.fromCharCode((randomBytes[0] % 26) + 65);
+    }
+
+    if (!symbols.split('').some((symbol) => password.includes(symbol))) {
+        password = password.slice(0, length - 1) + symbols[randomBytes[0] % symbols.length];
+    }
+
+    return password;
 };