Math.random() is not cryptographically secure
gen0cide opened this issue · 1 comments
gen0cide commented
Line 132 in cb5adc4
This function is used to generate unique UIDs throughout the SAML library. Given that SAML deals with authentication, it seems like poor practice to not generate random UIDs in a cryptographically secure manner.
Reference: https://nodejs.org/api/crypto.html#crypto_crypto_randomint_min_max_callback
Guidance: https://gist.github.com/joepie91/7105003c3b26e65efcea63f3db82dfba
tomauth0 commented
Hi @gen0cide - I'm closing this ticket off as the generateUniqueID fn has been updated in #116 to use https://github.com/auth0/id-generator internally - the implementation of that lib mimics the nodejs randomInt fn you've referenced.
This change is released in v5.0.1.
Thanks,
Tom