fix(security): use sha256 for token generation #38

node-oauth · Oct 14, 2021 · 769878d · 769878d
1 parent b1676fb
commit 769878d
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 14 deletions.
diff --git a/lib/utils/token-util.js b/lib/utils/token-util.js
@@ -20,7 +20,7 @@ module.exports = {
   generateRandomToken: function() {
     return randomBytes(256).then(function(buffer) {
       return crypto
-        .createHash('sha1')
+        .createHash('sha256')
         .update(buffer)
         .digest('hex');
     });

diff --git a/test/assertions.js b/test/assertions.js
@@ -7,13 +7,12 @@
 var chai = require('chai');
 
 /**
- * SHA-1 assertion.
+ * SHA-256 assertion.
  */
-chai.use(function (_chai, utils) {
 
-  utils.addMethod(chai.Assertion.prototype, 'sha1', function () {
+chai.use(function (_chai, utils) {
+  chai.Assertion.addMethod('sha256', function (...args) {
     var obj = utils.flag(this, 'object');
-    new chai.Assertion(obj).match(/^[a-f0-9]{40}$/i);
+    new chai.Assertion(obj).match(/^[a-f0-9]{64}$/i);
   });
-
 });
diff --git a/test/integration/grant-types/abstract-grant-type_test.js b/test/integration/grant-types/abstract-grant-type_test.js
@@ -64,7 +64,7 @@ describe('AbstractGrantType integration', function() {
 
       return handler.generateAccessToken()
         .then(function(data) {
-          data.should.be.a.sha1;
+          data.should.be.a.sha256();
         })
         .catch(should.fail);
     });
@@ -98,7 +98,7 @@ describe('AbstractGrantType integration', function() {
 
       return handler.generateRefreshToken()
         .then(function(data) {
-          data.should.be.a.sha1;
+          data.should.be.a.sha256();
         })
         .catch(should.fail);
     });

diff --git a/test/integration/handlers/authorize-handler_test.js b/test/integration/handlers/authorize-handler_test.js
@@ -587,7 +587,7 @@ describe('AuthorizeHandler integration', function() {
 
       return handler.generateAuthorizationCode()
         .then(function(data) {
-          data.should.be.a.sha1;
+          data.should.be.a.sha256();
         })
         .catch(should.fail);
     });

diff --git a/test/integration/handlers/token-handler_test.js b/test/integration/handlers/token-handler_test.js
@@ -492,7 +492,7 @@ describe('TokenHandler integration', function() {
       var handler = new TokenHandler({ accessTokenLifetime: 120, model: model, refreshTokenLifetime: 120 });
       var request = new Request({
         body: {},
-        headers: { 'authorization': util.format('Basic %s', new Buffer('foo:bar').toString('base64')) },
+        headers: { 'authorization': util.format('Basic %s', Buffer.from('foo:bar').toString('base64')) },
         method: {},
         query: {}
       });
@@ -571,7 +571,7 @@ describe('TokenHandler integration', function() {
         });
         var request = new Request({
           body: { grant_type: 'password'},
-          headers: { 'authorization': util.format('Basic %s', new Buffer('blah:').toString('base64')) },
+          headers: { 'authorization': util.format('Basic %s', Buffer.from('blah:').toString('base64')) },
           method: {},
           query: {}
         });
@@ -679,7 +679,7 @@ describe('TokenHandler integration', function() {
         var request = new Request({
           body: {},
           headers: {
-            'authorization': util.format('Basic %s', new Buffer('foo:bar').toString('base64'))
+            'authorization': util.format('Basic %s', Buffer.from('foo:bar').toString('base64'))
           },
           method: {},
           query: {}

diff --git a/test/integration/utils/token-util_test.js b/test/integration/utils/token-util_test.js
@@ -13,10 +13,10 @@ var should = require('chai').should();
 
 describe('TokenUtil integration', function() {
   describe('generateRandomToken()', function() {
-    it('should return a sha-1 token', function() {
+    it('should return a sha-256 token', function() {
       return TokenUtil.generateRandomToken()
         .then(function(token) {
-          token.should.be.a.sha1;
+          token.should.be.a.sha256();
         })
         .catch(should.fail);
     });