Bug in your code (non-secure) #1
Description
[@ai see at least questions in B. as they are really more appropriate for you, and (eventually) you may want to add this Julia package to your list of ports. And there is also a small part for @joepie91]
It seems to be your first Julia package. That's great! I spent considerable time looking into this (and original nanoid) so I hope it's helpful, at least please tell me if you think I'm wrong.
A.
I blocked the registration after seeing (if/since non-secure would be a disservice to the community to register until fixed):
# Write your package code here.
const urlalphabet = "useandom-26T198340PX75pxJACKVERYMINDBUSHWOLF_GQZbfghjklqvwyzrict"
rng = MersenneTwister()
MersenneTwister is not secure (CSPRING), and I confirmed the original nanoid uses such:
https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues
lets you get cryptographically strong random values
FYI: There's a new default rng in Julia 1.7 (I advocated to get it in), which is better and faster, but neither secure, so not the right one here for your code (assuming I'm right).
It seems you should do same as (was done) for UUID:
change uuid to use Random.RandomDevice() instead of Random.default_rng()
JuliaLang/julia#35872
julia> using UUIDs
help?> uuid4
[..]
Currently (as of Julia 1.6), uuid4 uses Random.RandomDevice as the default rng. However,
this is an implementation detail that may change in the future.
[..]
julia> rng = MersenneTwister(1234);
Strangely the example there uses MersenneTwister, maybe why you felt confident to use it (and I think it was used pre-1.6), but it seems to be a mistake to show it in the docs, as dangerous(?), why the 1.6 change.
Some background:
JuliaLang/julia#32954
We currently do not provide a CSPRNG.
[That may be outdated info, or not, at least see the PR from above, it seems to effectively use Random.RandomDevice as a CSPRNG.]
https://github.com/jiahao/SecureComputation.jl
https://github.com/pik/isaac-jl
B.
First for @joepie91 what @ai links to:
https://gist.github.com/joepie91/7105003c3b26e65efcea63f3db82dfba
Don't use crypto.getRandomBytes directly. While it's a CSPRNG
[Did you mean to write "crypto.getRandomValues"? I see that exists, but can't confirm "crypto.getRandomBytes" exists.]
Some questions, seeing urlalphabet = "useandom .." it seemed strange (is there a story about the full string?), but I confirmed it's the same in the original code (so you can keep it as is, while dropping the comment above it...). I thought at first that it was a typo for useRandom (but don't "fix" by adding "r"). It seems it IS actually a typo because in the (ported to) C++ code I see a string with those letter simply in alphabetical order: default_dict = "-0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
I'm just assuming the code here is ok/equivalent, except for the issue in A.
The original nanoid code makes a point of it being small (130 bytes minified) and fast. It's not important for the Julia code to be small/minified (better readable), but I'm curious why the extreme lengths they go to, also it seems to be actually 190 bytes not 130... Maybe it helps indirectly to be fast (at runtime, and well for download). They claim 2x faster, compared to UUID, but seeing the benchmarks it still seems slower compared to something else... e.g. "crypto.randomUUID".