From 33d7fb42940084d67395769cb1a02475908e5d4c Mon Sep 17 00:00:00 2001
From: Tanner Collin <git@tannercollin.com>
Date: Mon, 9 Jan 2017 18:19:24 -0700
Subject: [PATCH] Generate IDs cryptographically securely on the server

---
 package.json    |  5 ++---
 server.js       | 12 +++++++++++-
 src/ui/Site.js  |  4 ++--
 views/index.pug |  4 ++++
 4 files changed, 19 insertions(+), 6 deletions(-)
 create mode 100644 views/index.pug

diff --git a/package.json b/package.json
index d43e402..caa3015 100644
--- a/package.json
+++ b/package.json
@@ -21,9 +21,6 @@
     "babel-plugin-transform-react-constant-elements": "^6.9.1",
     "babel-plugin-transform-react-inline-elements": "^6.8.0",
     "babel-preset-es2015": "^6.18.0",
-    "babel-preset-es2016": "^6.16.0",
-    "babel-preset-es2017": "^6.16.0",
-    "babel-preset-latest": "^6.16.0",
     "babel-preset-react": "^6.16.0",
     "eslint-plugin-react": "^2.3.0",
     "react-hot-loader": "^1.2.7",
@@ -31,9 +28,11 @@
     "webpack-dev-server": "^1.8.2"
   },
   "dependencies": {
+    "base64-url": "^1.3.3",
     "body-parser": "^1.15.2",
     "freezer-js": "^0.6.0",
     "moment": "^2.17.1",
+    "pug": "^2.0.0-beta6",
     "qrcode.react": "^0.6.1",
     "react": "^0.13.0",
     "react-router": "^2.0.0",
diff --git a/server.js b/server.js
index 609840f..9f8247f 100644
--- a/server.js
+++ b/server.js
@@ -1,7 +1,10 @@
 const path = require('path');
 const express = require('express');
+const pug = require('pug');
 const bodyParser = require('body-parser');
 const moment = require('moment');
+const crypto = require('crypto');
+const base64url = require('base64-url');
 
 const app = express();
 
@@ -9,14 +12,21 @@ const host = 'http://127.0.0.1';
 const port = 3000;
 
 app.use(bodyParser.urlencoded({ extended: false }));
+app.set('view engine', 'pug')
 
 function log(message) {
 	console.log(moment().format() + ': ' + message);
 }
 
+function generateID() {
+	const bytes = crypto.randomBytes(30);
+	const string = base64url.encode(bytes);
+	return string.substring(0, 8);
+}
+
 app.use('/', express.static(path.join(__dirname, 'public')));
 app.get('/*', (req, res) => {
-	res.sendFile(path.join(__dirname, 'public/index.html'));
+	res.render('index', { secureID: generateID() })
 });
 
 app.post('*', (req, res) => {
diff --git a/src/ui/Site.js b/src/ui/Site.js
index 63e41c9..c0e233d 100644
--- a/src/ui/Site.js
+++ b/src/ui/Site.js
@@ -31,11 +31,11 @@ export default class Site extends React.Component {
 			if (localStorage.getItem('id')) {
 				this.state.id = url || localStorage.getItem('id');
 			} else {
-				this.state.id = url || Shortid.generate();
+				this.state.id = url || secureID || Shortid.generate();
 			}
 			localStorage.setItem('id', this.state.id);
 		} else {
-			this.state.id = url || Shortid.generate();
+			this.state.id = url || secureID || Shortid.generate();
 		}
 	}
 
diff --git a/views/index.pug b/views/index.pug
new file mode 100644
index 0000000..3a32d31
--- /dev/null
+++ b/views/index.pug
@@ -0,0 +1,4 @@
+doctype html
+script.
+  var secureID = '!{secureID}';
+include ../public/index.html