On Thu, Oct 15, 2015 at 5:57 PM, Steven D'Aprano <steve@pearwood.info> wrote:
Hi,
As extensively discussed on Python-Ideas, the secrets module and PEP 506 is (I hope) ready for pronouncement.
{{{ Comparison To Other Languages [...] Javascript Based on a rather cursory search [20], there do not appear to be any well-known standard functions for producing strong random values in Javascript, [...] [20] Volunteers and patches are welcome. }}} Looks like client-side JS has window.crypto.getRandomValues() for this: https://developer.mozilla.org/en-US/docs/Web/API/RandomSource/getRandomValue... Similarly, Node.js offers crypto.randomBytes(): https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback Also, it's spelled "JavaScript", not "Javascript". Additionally, it looks like there's some kind of bold formatting error in the answer to "Q: What about a password generator?" in the HTML version of the PEP.
There is code and tests here:
I think there's a timing-related flaw in the current fallback implementation of equal(): https://bitbucket.org/sdaprano/secrets/pull-requests/1 Cheers, Chris -- https://github.com/cvrebert