Skip to content

Use rejection sampling to avoid bias in generateRandomString()#78

Merged
threepointone merged 3 commits intocloudflare:mainfrom
rc4:fix-42-generateRandomString-bias
Sep 23, 2025
Merged

Use rejection sampling to avoid bias in generateRandomString()#78
threepointone merged 3 commits intocloudflare:mainfrom
rc4:fix-42-generateRandomString-bias

Conversation

@rc4
Copy link
Contributor

@rc4 rc4 commented Sep 11, 2025

Fix #42 by rejecting outputs >= characters.length * 4 (248).

We initially generate 10% more random bytes than requested. If we expect to reject 3.1% of them; only one call to crypto.getRandomValues() should be required in >99% of cases.

If not, we get fresh values and go again until we've satisfied the requested length.

Let me know if there are any questions/concerns/anything I need to do on my end - I dug through the docs and it seemed pretty straightforward to contribute. 😄

@changeset-bot
Copy link

changeset-bot bot commented Sep 11, 2025
edited
Loading

🦋 Changeset detected

Latest commit: fdb93fc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@cloudflare/workers-oauth-provider Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@kentonv
Copy link
Member

kentonv commented Sep 15, 2025

Hmm, thanks for taking a pass at it, but I was sort of thinking we should just add two characters to the alphabet instead. If we add _ and - then we have an even power-of-two alphabet which eliminates the bias.

@rc4
Copy link
Contributor Author

rc4 commented Sep 16, 2025

Even easier! I am perfectly happy to do that instead, but it seemed that you might have had a few reservations about taking that approach so I figured this would be a fun little exercise to try. If not that simplifies the implementation a good bit 🙂

@rc4
Copy link
Contributor Author

rc4 commented Sep 20, 2025

Done; I made sure - and _ are in the right order per the RFC for Base64url encoding. Could add a separate utility function for ArrayBuffer -> b64url (or extend the existing one(s)) but figured that'd be too much scope creep.

@pkg-pr-new
Copy link

pkg-pr-new bot commented Sep 23, 2025
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/workers-oauth-provider/@cloudflare/workers-oauth-provider@78

commit: fdb93fc

@kentonv
Copy link
Member

kentonv commented Sep 23, 2025

@threepointone I think we should merge this but I've lost track of the tooling setup so not sure if there's something we should add, like a changeset or whatever, before merging. Can you take it?

@kentonv
Copy link
Member

kentonv commented Sep 23, 2025

And, thanks @rc4!

@threepointone
Copy link
Collaborator

threepointone commented Sep 23, 2025

on it

@threepointone threepointone force-pushed the fix-42-generateRandomString-bias branch from 8966873 to fdb93fc Compare September 23, 2025 20:28
@threepointone threepointone merged commit 32560d1 into cloudflare:main Sep 23, 2025
4 checks passed
@threepointone threepointone mentioned this pull request Sep 23, 2025
Merged
threepointone added a commit that referenced this pull request Sep 23, 2025
@threepointone @github-actions
Version Packages (#89)
b7784c7 
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @cloudflare/workers-oauth-provider@0.0.11

### Patch Changes

- [#78](#78)
[`32560d1`](32560d1)
Thanks [@rc4](https://github.com/rc4)! - Use rejection sampling to avoid
bias in `generateRandomString()`

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@threepointone
Copy link
Collaborator

threepointone commented Sep 23, 2025

released in 0.0.11, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kentonv kentonv kentonv approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Biased output from generateRandomString()

3 participants

@rc4 @kentonv @threepointone