Use 256-bit tokens everywhere

src/routes/test/clients-test.js

@@ -593,12 +593,12 @@ describe('Clients', function () {
         salt: 'somesalt',
         createdAt: (new Date()).toUTCString(),
         modifiedAt: (new Date()).toUTCString(),
-        resetToken: hat()
+        resetToken: hat(256)
     };
 
     // make csrf always succeed for testing
     oauth2.csrf = function (req, res, next) {
-        req.csrfToken = function () { return hat(); };
+        req.csrfToken = function () { return hat(256); };
         next();
     };
 

src/routes/test/oauth2-test.js

@@ -141,12 +141,12 @@ describe('Password', function () {
         salt: 'somesalt',
         createdAt: (new Date()).toUTCString(),
         modifiedAt: (new Date()).toUTCString(),
-        resetToken: hat()
+        resetToken: hat(256)
     };
 
     // make csrf always succeed for testing
     oauth2.csrf = function (req, res, next) {
-        req.csrfToken = function () { return hat(); };
+        req.csrfToken = function () { return hat(256); };
         next();
     };
 
@@ -194,7 +194,7 @@ describe('Password', function () {
 
         it('setup fails due to invalid reset_token', function (done) {
             superagent.get(SERVER_URL + '/api/v1/session/password/setup.html')
-            .query({ reset_token: hat() })
+            .query({ reset_token: hat(256) })
             .end(function (error, result) {
                 expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
@@ -224,7 +224,7 @@ describe('Password', function () {
 
         it('reset fails due to invalid reset_token', function (done) {
             superagent.get(SERVER_URL + '/api/v1/session/password/reset.html')
-            .query({ reset_token: hat() })
+            .query({ reset_token: hat(256) })
             .end(function (error, result) {
                 expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);
@@ -286,7 +286,7 @@ describe('Password', function () {
 
         it('fails due to missing password', function (done) {
             superagent.post(SERVER_URL + '/api/v1/session/password/reset')
-            .send({ resetToken: hat() })
+            .send({ resetToken: hat(256) })
             .end(function (error, result) {
                 expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(400);
@@ -296,7 +296,7 @@ describe('Password', function () {
 
         it('fails due to empty password', function (done) {
             superagent.post(SERVER_URL + '/api/v1/session/password/reset')
-            .send({ password: '', resetToken: hat() })
+            .send({ password: '', resetToken: hat(256) })
             .end(function (error, result) {
                 expect(error).to.not.be.ok();
                 expect(result.statusCode).to.equal(401);

src/test/database-test.js

@@ -41,7 +41,7 @@ describe('database', function () {
             salt: 'morton',
             createdAt: 'sometime back',
             modifiedAt: 'now',
-            resetToken: hat()
+            resetToken: hat(256)
         };
 
         var ADMIN_0 = {

src/tokendb.js

@@ -32,7 +32,7 @@ exports = module.exports = {
 var TOKENS_FIELDS = [ 'accessToken', 'identifier', 'clientId', 'scope', 'expires' ].join(',');
 
 function generateToken() {
-    return hat(265);
+    return hat(256);
 }
 
 function get(accessToken, callback) {

src/user.js

@@ -104,7 +104,7 @@ function validateEmail(email) {
 function validateToken(token) {
     assert(typeof token === 'string');
 
-    if (token.length !== 32) return new UserError(UserError.BAD_TOKEN, 'Invalid token');
+    if (token.length !== 64) return new UserError(UserError.BAD_TOKEN, 'Invalid token'); // 256-bit hex coded token
 
     return null;
 }