-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updated generatePassword function #9475
base: master
Are you sure you want to change the base?
Conversation
👋 Hello! Thanks for contributing to our project. If you are unsure the failing tests are related to your code, you can check the "reference jobs". These are jobs that run on a scheduled time with code from master. If they fail for the same reason as your build, it means the tests or the infrastructure are broken. If they do not fail, but yours do, it means it is related to your code. Reference tests: KNOWN ISSUES Sometimes the build can fail when pulling new jar files from download.opensuse.org . This is a known limitation. Given this happens rarely, when it does, all you need to do is rerun the test. Sorry for the inconvenience. For more tips on troubleshooting, see the troubleshooting guide. Happy hacking! |
const allChars = lowercase + uppercase + numbers + specials; | ||
|
||
// Ensure at least one character from each category | ||
const getRandomChar = (charset) => charset[Math.floor(Math.random() * charset.length)]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Math.random()
is a pseudorandom number generator, I don't think we want to use it here. Similarly below in the sort function, I think this is not the way we want to approach this. The whole idea of using window.crypto.getRandomValues()
is that we don't want to use Math.random()
.
const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789:-_"; | ||
const array = new Uint32Array(charset.length); | ||
window.crypto.getRandomValues(array); | ||
const length = 24; // fixed length for better security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is not true? Using a fixed length reduces security, since it makes the space you need to brute force smaller. To exemplify, if we use only passwords of length 25, then there are X^25
combinations where X
is the number of symbols in our charset, but if we allow for example passwords of length 15-25, then there are X^15 + X^16 + X^17 + ... + X^25
combinations.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to revisit this code, I don't think as is this is a correct way to generate passwords. Is there a ticket behind this change, what are the requirements?
Also pinging @szachovy for opinions, I think this is something up your alley.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't we use some JS built-in function instead of creating the whole logic for this purpose? I am not a JS expert, but I would be very surprised if there is no cryptographic module (or derivative) available.
// Shuffle the password to avoid guaranteed character positions | ||
password = password.split('').sort(() => 0.5 - Math.random()).join(''); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For shuffling, you could also use the Fisher–Yates shuffle.
const lowercase = "abcdefghijklmnopqrstuvwxyz"; | ||
const uppercase = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; | ||
const numbers = "0123456789"; | ||
const specials = ":-_!@#$%^&*()"; // extended set of special characters |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just out of curiosity, why does this constant only include this limited amount of special chars?
What does this PR change?
Improvement in generatePassword function in utils.ts
add description
GUI diff
No difference.
Before:
After:
Documentation
No documentation needed
DONE
Test coverage
ℹ️ If a major new functionality is added, it is strongly recommended that tests for the new functionality are added to the Cucumber test suite
No tests: already covered
DONE
Links
Issues: #25664
Port(s): # add downstream PR(s), if any
Changelogs
Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository
If you don't need a changelog check, please mark this checkbox:
If you uncheck the checkbox after the PR is created, you will need to re-run
changelog_test
(see below)Re-run a test
If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:
Before you merge
Check How to branch and merge properly!