security: Replace Math.random() with cryptographically secure invite code generation

[claude]

Summary

Invite codes are generated client-side using Math.random(), which is not cryptographically secure.

Finding

File: app/(app)/(tabs)/profile/index.tsx:169

const code = Math.random().toString(36).substring(2, 10).toUpperCase();

Risk

• Math.random() produces approximately 41 bits of entropy
• An attacker could enumerate or predict valid invite codes
• Invite codes grant ability to link sponsor-sponsee relationships
• No server-side uniqueness or rate-limiting controls

Recommended Fix

Option 1: Server-side generation (preferred)
Move invite code generation to a Supabase Edge Function or PostgreSQL function:

encode(gen_random_bytes(6), 'hex')

Option 2: Client-side with crypto API
Use expo-crypto or crypto.getRandomValues():

import * as Crypto from 'expo-crypto';
const randomBytes = await Crypto.getRandomBytesAsync(6);
const code = Array.from(randomBytes)
  .map(b => b.toString(16).padStart(2, '0'))
  .join('')
  .toUpperCase()
  .slice(0, 8);

Impact

HIGH - Weak invite codes could allow unauthorized sponsor-sponsee relationship creation.

References

• Related to 📋 Daily Codebase Review - 2026-02-24 #390 (Daily Codebase Review)

[coderabbitai]

⚠️ Possible Duplicate Issue(s)

• security: Replace Math.random() with crypto.getRandomValues() for invite codes #320

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

✅ Successfully generated implementation plan.

💡 Use @coderabbitai <feedback> to replan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!

[coderabbitai]

Coding Plan

Summary

• Create a new generate-invite-code Edge Function using Deno's Web Crypto API for cryptographically secure random generation
• The function authenticates via JWT, generates codes with proper entropy, and atomically inserts into the database with collision retry
• The client's generateInviteCode function is simplified to invoke the Edge Function and handle the response
• Existing UI flows (dialogs, share sheet, toasts) remain unchanged

Design Choices

Design Choice 1: Server-side vs. enhanced client-side generation approach

Options Considered:

1. Supabase Edge Function: Generate code server-side using Deno's Web Crypto API, insert into DB atomically, return code to client. Provides centralized control and atomic generation+insert.
2. PostgreSQL Function via RPC: Use gen_random_bytes() in a PL/pgSQL function called via supabase.rpc(). Simpler deployment, faster execution.
3. Client-side expo-crypto: Use getRandomBytesAsync() from expo-crypto. Minimal changes, but keeps generation client-side.

Chosen Option: 1

Rationale: Option 1 (Edge Function): Aligns with the ticket's explicit preference for server-side, matches existing Edge Function patterns in the codebase, and provides atomic code generation with DB insertion for cleaner error handling.

💡 User Tips

Regenerate the plan with different choices with @coderabbitai <feedback>.

Implementation Steps

Phase 1: Create Secure Invite Code Generation Edge Function

Create a new Supabase Edge Function that generates cryptographically secure invite codes and inserts them atomically into the database, following the patterns established by the existing daily-reflection function.

Create the Edge Function

Implement the server-side invite code generation with proper authentication and collision handling.

• Create new function at supabase/functions/generate-invite-code/index.ts following the structure of daily-reflection
• Define CORS headers constant matching the existing pattern (Access-Control-Allow-Origin: *, etc.)
• Handle OPTIONS preflight and enforce POST-only requests
• Extract and validate the user's JWT from the Authorization header to get the authenticated user's ID (sponsor_id)
• Generate 8-character uppercase alphanumeric code using Deno's Web Crypto API (crypto.getRandomValues()) with sufficient entropy
• Set expiration to 30 days from generation (matching current behavior)
• Insert into invite_codes table using the service role key via Supabase REST API
• Implement retry logic (2-3 attempts) on UNIQUE constraint violations to handle rare collisions
• Return JSON response with the generated code on success, or appropriate error status (401 for auth failures, 500 for generation failures)

🤖 Prompt for AI agents

Create a new Supabase Edge Function at
`supabase/functions/generate-invite-code/index.ts` that generates
cryptographically secure invite codes and atomically inserts them into the
database.

- Follow the structure and patterns of the existing `daily-reflection` Edge
Function
- Define a CORS headers constant matching the existing pattern (e.g.
`Access-Control-Allow-Origin: *`)
- Handle OPTIONS preflight requests and enforce POST-only access for all other
requests
- Extract and validate the user's JWT from the `Authorization` header to
retrieve the authenticated user's ID, which will be used as the `sponsor_id`;
return a 401 response on auth failure
- Generate an 8-character uppercase alphanumeric code using Deno's Web Crypto
API (`crypto.getRandomValues()`) with sufficient entropy
- Set the code's expiration to 30 days from the time of generation, matching
current client-side behavior
- Insert the generated code into the `invite_codes` table using the service role
key accessed via `Deno.env.get()`, making the request via the Supabase REST API
- Implement retry logic (2-3 attempts) to handle rare UNIQUE constraint
collisions — regenerate and retry on conflict
- On success, return a JSON response containing the generated code; on failure,
return a 500 status with an appropriate error message

Phase 2: Update Client to Use Edge Function

Modify the profile screen to call the new Edge Function instead of generating codes locally, preserving all existing UI behaviors.

Replace Local Code Generation with Edge Function Call

Update the generateInviteCode function to delegate to the server.

• Modify generateInviteCode in app/(app)/(tabs)/profile/index.tsx to call supabase.functions.invoke('generate-invite-code') instead of local generation
• Remove the Math.random() code generation and direct supabase.from('invite_codes').insert() call
• Extract the returned code from the Edge Function response
• Preserve all existing post-generation behavior: web clipboard dialog via showConfirm, native share sheet via Share.share(), and error toast on failure
• Handle Edge Function-specific errors (network failures, auth errors) with appropriate user-facing messages

🤖 Prompt for AI agents

Update the `generateInviteCode` function in `app/(app)/(tabs)/profile/index.tsx`
to delegate code generation to the new Edge Function instead of generating
locally.

- Replace the `Math.random()` code generation logic and direct
`supabase.from('invite_codes').insert()` call with a call to
`supabase.functions.invoke('generate-invite-code')`
- Extract the returned code from the Edge Function response data
- Preserve all existing post-generation UI behavior:
  - Web clipboard dialog via `showConfirm`
  - Native share sheet via `Share.share()`
  - Error toast on failure
- Handle Edge Function-specific errors such as network failures and auth errors
with appropriate user-facing messages

Phase 3: Update Tests

Ensure test coverage reflects the new architecture while maintaining existing test assertions.

Update Profile Screen Test Mocks

Adjust the test mocks to handle Edge Function invocation instead of direct table inserts.

• Update __tests__/app/profile.test.tsx to mock supabase.functions.invoke for the generate-invite-code function
• Modify the mock to return { data: { code: 'TEST1234' }, error: null } for success cases
• Update error case tests to simulate Edge Function failures via mock response { data: null, error: { message: '...' } }
• Ensure existing assertions (Alert.alert called with code, error toast on failure) continue to pass
• Remove or update any mocks for direct invite_codes table inserts that are no longer used in generation flow

🤖 Prompt for AI agents

Update `__tests__/app/profile.test.tsx` to reflect the new Edge Function-based
invite code generation architecture.

- Add a mock for `supabase.functions.invoke` targeting the
`generate-invite-code` function
- For success cases, configure the mock to return `{ data: { code: 'TEST1234' },
error: null }`
- For error cases, configure the mock to return `{ data: null, error: { message:
'...' } }` to simulate Edge Function failures
- Verify that existing assertions still pass: `Alert.alert` called with the code
on success, and error toast shown on failure
- Remove or update any mocks for direct `invite_codes` table inserts that are no
longer part of the generation flow

Research

The Sobers app uses Expo/React Native with Supabase as the backend. Invite codes are currently generated client-side in app/(app)/(tabs)/profile/index.tsx using Math.random(), then inserted into the invite_codes table which has a UNIQUE NOT NULL constraint on the code column. One Edge Function already exists (daily-reflection) following a pattern of CORS headers, service role key access via Deno.env.get(), and raw fetch to Supabase REST API. The client calls Edge Functions using supabase.functions.invoke() as demonstrated in lib/daily-reflections.ts.

---

🚀 Next Steps

🤖 All AI agent prompts combined

Task: 1

Create a new Supabase Edge Function at
`supabase/functions/generate-invite-code/index.ts` that generates
cryptographically secure invite codes and atomically inserts them into the
database.

- Follow the structure and patterns of the existing `daily-reflection` Edge
Function
- Define a CORS headers constant matching the existing pattern (e.g.
`Access-Control-Allow-Origin: *`)
- Handle OPTIONS preflight requests and enforce POST-only access for all other
requests
- Extract and validate the user's JWT from the `Authorization` header to
retrieve the authenticated user's ID, which will be used as the `sponsor_id`;
return a 401 response on auth failure
- Generate an 8-character uppercase alphanumeric code using Deno's Web Crypto
API (`crypto.getRandomValues()`) with sufficient entropy
- Set the code's expiration to 30 days from the time of generation, matching
current client-side behavior
- Insert the generated code into the `invite_codes` table using the service role
key accessed via `Deno.env.get()`, making the request via the Supabase REST API
- Implement retry logic (2-3 attempts) to handle rare UNIQUE constraint
collisions — regenerate and retry on conflict
- On success, return a JSON response containing the generated code; on failure,
return a 500 status with an appropriate error message
===============================================================================

Task: 2

Update the `generateInviteCode` function in `app/(app)/(tabs)/profile/index.tsx`
to delegate code generation to the new Edge Function instead of generating
locally.

- Replace the `Math.random()` code generation logic and direct
`supabase.from('invite_codes').insert()` call with a call to
`supabase.functions.invoke('generate-invite-code')`
- Extract the returned code from the Edge Function response data
- Preserve all existing post-generation UI behavior:
  - Web clipboard dialog via `showConfirm`
  - Native share sheet via `Share.share()`
  - Error toast on failure
- Handle Edge Function-specific errors such as network failures and auth errors
with appropriate user-facing messages
===============================================================================

Task: 3

Update `__tests__/app/profile.test.tsx` to reflect the new Edge Function-based
invite code generation architecture.

- Add a mock for `supabase.functions.invoke` targeting the
`generate-invite-code` function
- For success cases, configure the mock to return `{ data: { code: 'TEST1234' },
error: null }`
- For error cases, configure the mock to return `{ data: null, error: { message:
'...' } }` to simulate Edge Function failures
- Verify that existing assertions still pass: `Alert.alert` called with the code
on success, and error toast shown on failure
- Remove or update any mocks for direct `invite_codes` table inserts that are no
longer part of the generation flow

💡 Iterate on the plan with: @coderabbitai <feedback>

Example Feedback
- `@coderabbitai` You can skip phase 3. Add a simple unit test case for phase 2.
- `@coderabbitai` For design choice 1 go ahead with option 3 and replan.

---

💬 Have feedback or questions? Drop into our discord!