Improved Email Change and Password Reset token security by increasing token size.

2025-10-18 08:36:05 -04:00 · 2025-10-18 08:36:05 -04:00 · 7f6abdf8e2
parent 06f552a9ec
commit 7f6abdf8e2
3 changed files with 4 additions and 4 deletions
--- a/src/schemas/user/emailChangeSchema.js
+++ b/src/schemas/user/emailChangeSchema.js
@ -52,7 +52,7 @@ const emailChangeSchema = new mongoose.Schema({
        type: mongoose.SchemaTypes.String,
        required: true,
        //Use a cryptographically secure algorythm to create a random hex string from 16 bytes as our change/cancel token
-        default: ()=>{return crypto.randomBytes(16).toString('hex')}
+        default: ()=>{return crypto.randomBytes(32).toString('hex')}
    },
    ipHash: {
        type: mongoose.SchemaTypes.String,
--- a/src/schemas/user/passwordResetSchema.js
+++ b/src/schemas/user/passwordResetSchema.js
@ -48,7 +48,7 @@ const passwordResetSchema = new mongoose.Schema({
        type: mongoose.SchemaTypes.String,
        required: true,
        //Use a cryptographically secure algorythm to create a random hex string from 16 bytes as our reset token
-        default: ()=>{return crypto.randomBytes(16).toString('hex')}
+        default: ()=>{return crypto.randomBytes(32).toString('hex')}
    },
    ipHash: {
        type: mongoose.SchemaTypes.String,
--- a/src/validators/accountValidator.js
+++ b/src/validators/accountValidator.js
@ -185,8 +185,8 @@ module.exports.securityToken = function(field = 'token'){
            isHexadecimal: true,
            isLength: {
                options: {
-                    min: 32,
+                    min: 64,
-                    max: 32
+                    max: 64
                }
            },
            errorMessage: "Invalid security token."