Change randomString et al to be secure

...and renames them, removing the special lowercase and uppercase versions and exporting the underlying function instead. Any apps that use these will either need to take the speed hit from secure random functions and use the new ones, or write their own insecure versions. The lowercase and uppercasde verisons were used exactly once each in element-web and never in js-sdk itself. The underlying function is very simple and exporting just this gives more flexibility with fewer exports.
2025-08-07 23:02:56 +03:00 · 2025-01-16 14:48:36 +00:00
parent bdd4d82cb3
commit 86494c3a96
14 changed files with 80 additions and 68 deletions
--- a/spec/unit/randomstring.spec.ts
+++ b/spec/unit/randomstring.spec.ts
@@ -16,10 +16,11 @@ limitations under the License.

 import { decodeBase64 } from "../../src/base64";
 import {
-    randomLowercaseString,
-    randomString,
-    randomUppercaseString,
+    secureRandomString,
    secureRandomBase64Url,
+    secureRandomStringFrom,
+    LOWERCASE,
+    UPPERCASE,
 } from "../../src/randomstring";

 describe("Random strings", () => {
@@ -33,34 +34,40 @@ describe("Random strings", () => {
        expect(decoded).toHaveLength(n);
    });

-    it.each([8, 16, 32])("randomString generates string of %i characters", (n: number) => {
-        const rand1 = randomString(n);
-        const rand2 = randomString(n);
+    it.each([8, 16, 32])("secureRandomString generates string of %i characters", (n: number) => {
+        const rand1 = secureRandomString(n);
+        const rand2 = secureRandomString(n);

        expect(rand1).not.toEqual(rand2);

        expect(rand1).toHaveLength(n);
    });

-    it.each([8, 16, 32])("randomLowercaseString generates lowercase string of %i characters", (n: number) => {
-        const rand1 = randomLowercaseString(n);
-        const rand2 = randomLowercaseString(n);
+    it.each([8, 16, 32])(
+        "secureRandomStringFrom generates lowercase string of %i characters when given lowercase",
+        (n: number) => {
+            const rand1 = secureRandomStringFrom(n, LOWERCASE);
+            const rand2 = secureRandomStringFrom(n, LOWERCASE);

-        expect(rand1).not.toEqual(rand2);
+            expect(rand1).not.toEqual(rand2);

-        expect(rand1).toHaveLength(n);
+            expect(rand1).toHaveLength(n);

-        expect(rand1.toLowerCase()).toEqual(rand1);
-    });
+            expect(rand1.toLowerCase()).toEqual(rand1);
+        },
+    );

-    it.each([8, 16, 32])("randomUppercaseString generates lowercase string of %i characters", (n: number) => {
-        const rand1 = randomUppercaseString(n);
-        const rand2 = randomUppercaseString(n);
+    it.each([8, 16, 32])(
+        "secureRandomStringFrom generates uppercase string of %i characters when given uppercase",
+        (n: number) => {
+            const rand1 = secureRandomStringFrom(n, UPPERCASE);
+            const rand2 = secureRandomStringFrom(n, UPPERCASE);

-        expect(rand1).not.toEqual(rand2);
+            expect(rand1).not.toEqual(rand2);

-        expect(rand1).toHaveLength(n);
+            expect(rand1).toHaveLength(n);

-        expect(rand1.toUpperCase()).toEqual(rand1);
-    });
+            expect(rand1.toUpperCase()).toEqual(rand1);
+        },
+    );
 });