Ghost/ghost/security/lib/secret.js

const crypto = require('crypto');

/*
 * Uses birthday problem estimation to calculate chance of collision
 * d = 16^26        // 26 char hex string
 * n = 10,000,000   // 10 million
 *
 *       (-n x (n-1)) / 2d
 * 1 - e^
 *
 *
 *           17
 * ~= 4 x 10^
 *
 * ref: https://medium.freecodecamp.org/how-long-should-i-make-my-api-key-833ebf2dc26f
 * ref: https://en.wikipedia.org/wiki/Birthday_problem#Approximations
 *
 * 26 char hex string = 13 bytes (content api)
 * 64 char hex string JWT secret = 32 bytes (admin api / default)
 *
 * @param {String|Number} [typeOrLength=64]
 * @returns
 */
module.exports.create = (typeOrLength) => {
    let bytes;
    let length;

    if (Number.isInteger(typeOrLength)) {
        bytes = Math.ceil(typeOrLength / 2);
        length = typeOrLength;
    } else if (typeOrLength === 'content') {
        bytes = 13;
        length = 26;
    } else {
        bytes = 32;
        length = 64;
    }

    return crypto.randomBytes(bytes).toString('hex').slice(0, length);
};
Added secret.create util to security package - this utility existed twice in the ghost codebase: - https://github.com/TryGhost/Ghost/blob/f6fb823ce92b0fb8a2953ac76a10881c6b5aa61b/core/server/models/api-key.js#L24 - https://github.com/TryGhost/Ghost/blob/f6fb823ce92b0fb8a2953ac76a10881c6b5aa61b/core/server/data/migrations/versions/4.0/22-solve-orphaned-webhooks.js#L7 - We also potentially need it for a second migration use case - so moved it here, made it slightly more generic and also deprecated identifier.uid in favour of using this method as they do the same thing, but secret.create uses crypto properly 2022-05-06 17:04:23 +03:00			`const crypto = require('crypto');`

			`/*`
			`* Uses birthday problem estimation to calculate chance of collision`
			`* d = 16^26 // 26 char hex string`
			`* n = 10,000,000 // 10 million`
			`*`
			`* (-n x (n-1)) / 2d`
			`* 1 - e^`
			`*`
			`*`
			`* 17`
			`* ~= 4 x 10^`
			`*`
			`* ref: https://medium.freecodecamp.org/how-long-should-i-make-my-api-key-833ebf2dc26f`
			`* ref: https://en.wikipedia.org/wiki/Birthday_problem#Approximations`
			`*`
			`* 26 char hex string = 13 bytes (content api)`
			`* 64 char hex string JWT secret = 32 bytes (admin api / default)`
			`*`
			`* @param {String\|Number} [typeOrLength=64]`
			`* @returns`
			`*/`
			`module.exports.create = (typeOrLength) => {`
			`let bytes;`
			`let length;`

			`if (Number.isInteger(typeOrLength)) {`
			`bytes = Math.ceil(typeOrLength / 2);`
			`length = typeOrLength;`
			`} else if (typeOrLength === 'content') {`
			`bytes = 13;`
			`length = 26;`
			`} else {`
			`bytes = 32;`
			`length = 64;`
			`}`

			`return crypto.randomBytes(bytes).toString('hex').slice(0, length);`
			`};`