You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The new implementation would be an improvement, but just to be clear: idempotency keys are scoped entirely to single user accounts so the worst that could happen is that a user accidentally reuses one of their own idempotency keys, and even with a non-crypto random number generation, that's very unlikely to ever happen, especially since it would have to occur within a 24 hour window.
Exciting to see on the linked SO page that there's the UUID module is coming down the pipeline for inclusion in the core language.
stripe-node/lib/utils.js
Line 409 in ec960ea
The function uses an outdated method of generating UUIDv4s that does not follow current PRNG guidance for UUIDv4 generation.
The referenced comment above the function (https://stackoverflow.com/a/2117523) has an updated implemention:
Given that Stripe is used for payment processing, it seems like sound cryptographic PRNG usage should be the default.
The text was updated successfully, but these errors were encountered: