From 7ca62ee479e7eaf81167ca0a1e320637c061cad1 Mon Sep 17 00:00:00 2001
From: Daniel Hensby <daniel.hensby@bidbax.no>
Date: Wed, 24 Jul 2024 16:28:10 +0100
Subject: [PATCH] perf: random tokens do not need to be hashed

There's no need to generate extra random bytes only to hash them. A random input
will lead to a random hash being generated, but the random input is enough in its
own right and does not need to be hashed to make it any more or less secure. The
amount of entropy is capped at 32 bytes when hashed, so we may as well just provide
32 random bytes.
---
 lib/utils/token-util.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/lib/utils/token-util.js b/lib/utils/token-util.js
index a1d6937e..52487567 100644
--- a/lib/utils/token-util.js
+++ b/lib/utils/token-util.js
@@ -5,7 +5,6 @@
  */
 
 const randomBytes = require('crypto').randomBytes;
-const { createHash } = require('../utils/crypto-util');
 
 /**
  * Export `TokenUtil`.
@@ -17,8 +16,15 @@ module.exports = {
    * Generate random token.
    */
 
-  generateRandomToken: async function() {
-    const buffer = randomBytes(256);
-    return createHash({ data: buffer, encoding: 'hex' });
+  generateRandomToken: function() {
+    return new Promise((resolve, reject) => {
+      randomBytes(32, (err, data) => {
+        if (err) {
+          reject(err);
+        } else {
+          resolve(data.toString('hex'));
+        }
+      });
+    });
   }
 };