Password cookie file filled with garbage upon first start

Question

Password cookie file filled with garbage upon first start

chrisguida opened this issue 5 years ago · 2 comments

Looks like some code is getting saved in the cookie file the first time the server starts:

$ cat /home/chris/.spark-wallet/cookie
() => {
    let id = ''
    while (true) {
      let bytes = getRandom(step)
      // A compact alternative for `for (var i = 0; i < step; i++)`.
      let i = step
      while (i--) {
        // Adding `|| ''` refuses a random byte that exceeds the alphabet size.
        id += alphabet[bytes[i] & mask] || ''
        // `id.length + 1 === size` is a more compact option.
        if (id.length === +size) return id
      }
    }
  }:[username]:[password]

The server will not let me in until I rewrite the cookie file with [username]:[password]

Answer 1 · 2020-05-17T17:51:35.000Z

Thanks for reporting this! Looks like this happened due to a change in one of the dependencies.

I fixed this in 4fd8f9f and will release a new version with it soon.

Answer 2 · 2020-08-06T22:37:30.000Z

Took a little while, but v0.2.15 is now out with this fix.

For future reference, this bug was causing the username to be generated incorrectly, but the password was generated properly and contained sufficient entropy such that this did not result in a security risk.