perf: random tokens do not need to be hashed

There's no need to generate extra random bytes only to hash them. A random input will lead to a random hash being generated, but the random input is enough in its own right and does not need to be hashed to make it any more or less secure. The amount of entropy is capped at 32 bytes when hashed, so we may as well just provide 32 random bytes.
node-oauth · Jul 24, 2024 · 7ca62ee · 7ca62ee
1 parent 6627e87
commit 7ca62ee
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/lib/utils/token-util.js b/lib/utils/token-util.js
@@ -5,7 +5,6 @@
  */
 
 const randomBytes = require('crypto').randomBytes;
-const { createHash } = require('../utils/crypto-util');
 
 /**
  * Export `TokenUtil`.
@@ -17,8 +16,15 @@ module.exports = {
    * Generate random token.
    */
 
-  generateRandomToken: async function() {
-    const buffer = randomBytes(256);
-    return createHash({ data: buffer, encoding: 'hex' });
+  generateRandomToken: function() {
+    return new Promise((resolve, reject) => {
+      randomBytes(32, (err, data) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(data.toString('hex'));
+        }
+      });
+    });
   }
 };