Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace uuidv4 generator with crypto.randomUUID() #8600

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Replace uuidv4 generator with crypto.randomUUID() #8600

wants to merge 3 commits into from

Conversation

dlarocque
Copy link
Contributor

@dlarocque dlarocque commented Oct 25, 2024
edited
Loading

The uuidv4 generator in util uses Math.random(), which does not provide strong uniqueness guarantees (https://www.bocoup.com/blog/random-numbers).

The places where the uuidv4 generator are used don't require strong uniqueness guarantees (nothing security related), but I think it's good to move away from this from util in case we try to use it in the future.

A better built-in alternative is crypto.randomUUID(), which does provide strong uniqueness guarantees. I believe the reason this wasn't used originally was because it wasn't supported in Node <15. Since this is a more modern JS built-in, it's only defined in secure contexts. Is this something we're concerned about? Are there any App Check users with apps running in non-secure environments?

Fixes #6462
Also closes b/283984828

@dlarocque
Replace uuidv4 generator with crypto.randomUUID()
e98433f 
The uuidv4 generator in util used `Math.random()`, which does not provide strong uniqueness guarantees
(https://www.bocoup.com/blog/random-numbers).

The places where the uuidv4 generator were used didn't require strong
uniqueness guarantees (nothing security related), but I think it's good
to move away from this from util in case we try to use it in the future.

A better built-in alternative is `crypto.randomUUID()`, which does provide strong
uniqueness guarantees. Since this is a more modern JS built-in, it's
only [defined in secure
contexts](https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/).
Is this something we're concerned about? Are there any App Check users
with apps running in non-secure environments?
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Oct 25, 2024
edited
Loading

🦋 Changeset detected

Latest commit: 1e712d0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 30 packages
Name Type
@firebase/app-check Patch
@firebase/util Patch
@firebase/app-check-compat Patch
firebase Patch
@firebase/analytics-compat Patch
@firebase/analytics Patch
@firebase/app-compat Patch
@firebase/app Patch
@firebase/auth-compat Patch
@firebase/auth Patch
@firebase/component Patch
@firebase/data-connect Patch
@firebase/database-compat Patch
@firebase/database-types Patch
@firebase/database Patch
@firebase/firestore-compat Patch
@firebase/firestore Patch
@firebase/functions-compat Patch
@firebase/functions Patch
@firebase/installations-compat Patch
@firebase/installations Patch
@firebase/messaging-compat Patch
@firebase/messaging Patch
@firebase/performance-compat Patch
@firebase/performance Patch
@firebase/remote-config-compat Patch
@firebase/remote-config Patch
@firebase/storage-compat Patch
@firebase/storage Patch
@firebase/vertexai Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Oct 25, 2024
edited
Loading

Size Report 1

Affected Products

  • @firebase/app-check

    TypeBase (e577a40)Merge (a495cd3)Diff
    browser26.3 kB26.3 kB+4 B (+0.0%)
    main27.3 kB27.3 kB+6 B (+0.0%)
    module26.3 kB26.3 kB+4 B (+0.0%)

  • @firebase/util

    TypeBase (e577a40)Merge (a495cd3)Diff
    browser23.4 kB23.2 kB-168 B (-0.7%)
    main29.2 kB29.0 kB-222 B (-0.8%)
    module23.4 kB23.2 kB-168 B (-0.7%)

  • bundle

    TypeBase (e577a40)Merge (a495cd3)Diff
    app-check (CustomProvider)37.5 kB37.3 kB-142 B (-0.4%)
    app-check (ReCaptchaEnterpriseProvider)40.0 kB39.8 kB-144 B (-0.4%)
    app-check (ReCaptchaV3Provider)39.9 kB39.8 kB-144 B (-0.4%)

  • firebase

    TypeBase (e577a40)Merge (a495cd3)Diff
    firebase-app-check-compat.js23.4 kB23.2 kB-136 B (-0.6%)
    firebase-app-check.js25.0 kB24.9 kB-107 B (-0.4%)
    firebase-compat.js794 kB794 kB-133 B (-0.0%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/WDu9rYg17V.html

@dlarocque dlarocque requested review from a team as code owners October 25, 2024 14:03
@github-actions GitHub Actions
Copy link
Contributor

Changeset File Check ⚠️

  • Warning: This PR modifies files in the following packages but they have not been included in the changeset file:%0A - @firebase/data-connect%0A - @firebase/database%0A%0A Make sure this was intentional.

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Oct 25, 2024
edited
Loading

Size Analysis Report 1

Affected Products

  • @firebase/app-check

    • initializeAppCheck

      Size

      TypeBase (e577a40)Merge (a495cd3)Diff
      size11.2 kB11.2 kB+1 B (+0.0%)
      size-with-ext-deps36.5 kB36.3 kB-144 B (-0.4%)

      External Dependency

      ModuleBase (e577a40)Merge (a495cd3)Diff
      @firebase/util

      Deferred
ErrorFactory
base64
getGlobal
getModularInstance
isIndexedDBAvailable
uuidv4

      Deferred
ErrorFactory
base64
getGlobal
getModularInstance
isIndexedDBAvailable

      - uuidv4

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/OiUYuy3PO8.html

@hsubox76
Copy link
Contributor

hsubox76 commented Nov 5, 2024

Since this is a more modern JS built-in, it's only defined in secure contexts. Is this something we're concerned about? Are there any App Check users with apps running in non-secure environments?

What's the effect of this, if you deploy an app with App Check to a site and call it with HTTP, do you get an error?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hsubox76 hsubox76 Awaiting requested review from hsubox76 hsubox76 is a code owner

@maneesht maneesht Awaiting requested review from maneesht maneesht is a code owner

@aashishpatil-g aashishpatil-g Awaiting requested review from aashishpatil-g aashishpatil-g is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Don't use Math.random() to generate UUIDs
3 participants
@dlarocque @google-oss-bot @hsubox76