Simplify random_token implementation to use set_secure_random_alphanum.

Use nginx NDK to use set_secure_random_alphanum for our random_token implementation. This is both faster and simpler than our previous implementation. It's limited to 64 characters in length, but that should be fine for our purposes.
NREL · May 19, 2018 · 8fd99e3 · 8fd99e3
1 parent 1e17f46
commit 8fd99e3
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 42 deletions.
diff --git a/src/api-umbrella/cli/read_config.lua b/src/api-umbrella/cli/read_config.lua
@@ -385,7 +385,7 @@ local function set_cached_random_tokens()
       if not config["web"]["rails_secret_token"] then
         deep_defaults(cached, {
           web = {
-            rails_secret_token = random_token(128),
+            rails_secret_token = random_token(64),
           },
         })
       end

diff --git a/src/api-umbrella/proxy/models/active_config.lua b/src/api-umbrella/proxy/models/active_config.lua
@@ -5,6 +5,7 @@ local host_normalize = require "api-umbrella.utils.host_normalize"
 local load_backends = require "api-umbrella.proxy.load_backends"
 local mustache_unescape = require "api-umbrella.utils.mustache_unescape"
 local plutils = require "pl.utils"
+local random_token = require "api-umbrella.utils.random_token"
 local resolve_backend_dns = require "api-umbrella.proxy.jobs.resolve_backend_dns"
 local tablex = require "pl.tablex"
 local utils = require "api-umbrella.proxy.utils"
@@ -183,7 +184,7 @@ end
 
 local function parse_website_backend(website_backend)
   if not website_backend["_id"] then
-    website_backend["_id"] = ndk.set_var.set_secure_random_alphanum(32)
+    website_backend["_id"] = random_token(32)
   end
 
   if website_backend["frontend_host"] then

diff --git a/src/api-umbrella/utils/random_token.lua b/src/api-umbrella/utils/random_token.lua
@@ -1,42 +1,3 @@
-local resty_random = require "resty.random"
-
-local encode_base64 = ngx.encode_base64
-local gsub = ngx.re.gsub
-local random_bytes = resty_random.bytes
-
 return function(length)
-  local token = ""
-  -- Loop until we've generated a valid token. The basic process:
-  --
-  -- 1. Generate secure random bytes.
-  -- 2. Convert random bytes to base64.
-  -- 3. Strip out special characters from base64 result, so we're left with
-  --    just alphanumerics.
-  --
-  -- It should be extraordinarily rare that this needs to loop, but since we
-  -- strip out some of the special characters from the resulting base64 string,
-  -- this loops in case we strip more than expected.
-  while string.len(token) < length do
-    -- Attempt to generate cryptographically secure random bytes. We
-    -- purposefully generate more bytes than we need, since we'll be stripping
-    -- some of the base64 characters out.
-    local num_bytes = length + 10
-    local strong_random = random_bytes(num_bytes, true)
-    if not strong_random then
-      ngx.log(ngx.WARN, "Could not generate cryptographically secure random data. Falling back to non-secure random data.")
-      strong_random = random_bytes(num_bytes, false)
-    end
-
-    -- Encode with base64.
-    token = token .. encode_base64(strong_random)
-
-    -- Strip +, /, and = out of the base64 result, since we just want a-z, A-Z,
-    -- and 0-9 in our tokens.
-    token = gsub(token, "[+/=]", "", "jo")
-
-    -- Take just the number of characters requested.
-    token = string.sub(token, 1, length)
-  end
-
-  return token
+  return ndk.set_var.set_secure_random_alphanum(length)
 end