From 7f6abdf8e2c56de63755adfed8ab585925adf23b Mon Sep 17 00:00:00 2001 From: rainbow napkin Date: Sat, 18 Oct 2025 08:36:05 -0400 Subject: [PATCH] Improved Email Change and Password Reset token security by increasing token size. --- src/schemas/user/emailChangeSchema.js | 2 +- src/schemas/user/passwordResetSchema.js | 2 +- src/validators/accountValidator.js | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/schemas/user/emailChangeSchema.js b/src/schemas/user/emailChangeSchema.js index bffd13f..5e839ba 100644 --- a/src/schemas/user/emailChangeSchema.js +++ b/src/schemas/user/emailChangeSchema.js @@ -52,7 +52,7 @@ const emailChangeSchema = new mongoose.Schema({ type: mongoose.SchemaTypes.String, required: true, //Use a cryptographically secure algorythm to create a random hex string from 16 bytes as our change/cancel token - default: ()=>{return crypto.randomBytes(16).toString('hex')} + default: ()=>{return crypto.randomBytes(32).toString('hex')} }, ipHash: { type: mongoose.SchemaTypes.String, diff --git a/src/schemas/user/passwordResetSchema.js b/src/schemas/user/passwordResetSchema.js index ecba77f..9391bee 100644 --- a/src/schemas/user/passwordResetSchema.js +++ b/src/schemas/user/passwordResetSchema.js @@ -48,7 +48,7 @@ const passwordResetSchema = new mongoose.Schema({ type: mongoose.SchemaTypes.String, required: true, //Use a cryptographically secure algorythm to create a random hex string from 16 bytes as our reset token - default: ()=>{return crypto.randomBytes(16).toString('hex')} + default: ()=>{return crypto.randomBytes(32).toString('hex')} }, ipHash: { type: mongoose.SchemaTypes.String, diff --git a/src/validators/accountValidator.js b/src/validators/accountValidator.js index aa1d942..4e031d3 100644 --- a/src/validators/accountValidator.js +++ b/src/validators/accountValidator.js @@ -185,8 +185,8 @@ module.exports.securityToken = function(field = 'token'){ isHexadecimal: true, isLength: { options: { - min: 32, - max: 32 + min: 64, + max: 64 } }, errorMessage: "Invalid security token."