Saturday, 22 April 2017

How to generate random hash for stripe state

Per the suggestion on the Stripe website:

CSRF Protection To prevent CSRF attacks, use the state parameter, passing along a unique token as the value. We’ll include the state you gave us when we redirect back.

I would like to include a state parameter in my URL in order to secure my application. I think it's clear enough to me now that the state parameter should be unique, secure, and just a series of characters that will inform my application which user was just authorized by Stripe connect. I'll store that value in my database and when the user returns, I'll know who they are and be able to direct them to the right location. So my next question. How do I create that unique token? I have a unique token that is returned from an OAuth provider for a separate part of my application, but I haven't been saving that in the database.

Is there a recommended way to create this type of unique token on my node server? Should it be md5 or sh1? Should I take the user name and a random string and save it in my database as if it were a salt and hash?

require('crypto').createHash('md5').update(STRING_TO_BE_HASH‌​ED + SALT).digest("hex")

Am I overthinking this?



via Luke Schlangen

No comments:

Post a Comment