Replace uuidv4 generator with crypto.randomUUID() (#8600)

dlarocque · web-flow · commit 25a6204c1531 · 2025-01-08T11:20:46.000-05:00
* Replace uuidv4 generator with `crypto.randomUUID()` The uuidv4 generator in util used `Math.random()`, which does not provide strong uniqueness guarantees (https://www.bocoup.com/blog/random-numbers). The places where the uuidv4 generator were used didn't require strong uniqueness guarantees (nothing security related), but I think it's good to move away from this from util in case we try to use it in the future. A better built-in alternative is `crypto.randomUUID()`, which does provide strong uniqueness guarantees. Since this is a more modern JS built-in, it's only [defined in secure contexts](https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/). Is this something we're concerned about? Are there any App Check users with apps running in non-secure environments? * Update API reports * Add changeset * Add comment about availability restricted to secure contexts --------- Co-authored-by: dlarocque <dlarocque@users.noreply.github.com>
diff --git a/.changeset/fluffy-rules-pretend.md b/.changeset/fluffy-rules-pretend.md
@@ -0,0 +1,6 @@
+---
+'@firebase/app-check': patch
+'@firebase/util': patch
+---
+
+Generate UUIDs with `crypto.randomUUID()` instead of custom uuidv4 function that uses `Math.random()`.
diff --git a/common/api-review/util.api.md b/common/api-review/util.api.md
@@ -476,9 +476,6 @@ export interface Subscribe<T> {
 // @public (undocumented)
 export type Unsubscribe = () => void;
 
-// @public
-export const uuidv4: () => string;
-
 // Warning: (ae-missing-release-tag) "validateArgCount" is exported by the package, but it is missing a release tag (@alpha, @beta, @public, or @internal)
 //
 // @public
diff --git a/packages/app-check/src/storage.ts b/packages/app-check/src/storage.ts
@@ -16,7 +16,7 @@
  */
 
 import { FirebaseApp } from '@firebase/app';
-import { isIndexedDBAvailable, uuidv4 } from '@firebase/util';
+import { isIndexedDBAvailable } from '@firebase/util';
 import {
   readDebugTokenFromIndexedDB,
   readTokenFromIndexedDB,
@@ -77,7 +77,8 @@ export async function readOrCreateDebugTokenFromStorage(): Promise<string> {
 
   if (!existingDebugToken) {
     // create a new debug token
-    const newToken = uuidv4();
+    // This function is only available in secure contexts. See https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts
+    const newToken = crypto.randomUUID();
     // We don't need to block on writing to indexeddb
     // In case persistence failed, a new debug token will be generated every time the page is refreshed.
     // It renders the debug token useless because you have to manually register(whitelist) the new token in the firebase console again and again.
diff --git a/packages/data-connect/test/queries.test.ts b/packages/data-connect/test/queries.test.ts
@@ -15,7 +15,6 @@
  * limitations under the License.
  */
 
-import { uuidv4 } from '@firebase/util';
 import { expect, use } from 'chai';
 import chaiAsPromised from 'chai-as-promised';
 
@@ -51,11 +50,11 @@ interface TaskListResponse {
 
 const SEEDED_DATA = [
   {
-    id: uuidv4(),
+    id: crypto.randomUUID(),
     content: 'task 1'
   },
   {
-    id: uuidv4(),
+    id: crypto.randomUUID(),
     content: 'task 2'
   }
 ];
diff --git a/packages/database/test/helpers/util.ts b/packages/database/test/helpers/util.ts
@@ -16,7 +16,6 @@
  */
 
 import { FirebaseApp, initializeApp } from '@firebase/app';
-import { uuidv4 } from '@firebase/util';
 import { expect } from 'chai';
 
 import {
@@ -105,7 +104,7 @@ export function waitFor(waitTimeInMS: number) {
 
 // Creates a unique reference using uuid
 export function getUniqueRef(db: Database) {
-  const path = uuidv4();
+  const path = crypto.randomUUID();
   return ref(db, path);
 }
 
diff --git a/packages/util/index.node.ts b/packages/util/index.node.ts
@@ -38,7 +38,6 @@ export * from './src/sha1';
 export * from './src/subscribe';
 export * from './src/validation';
 export * from './src/utf8';
-export * from './src/uuid';
 export * from './src/exponential_backoff';
 export * from './src/formatters';
 export * from './src/compat';
diff --git a/packages/util/index.ts b/packages/util/index.ts
@@ -33,7 +33,6 @@ export * from './src/sha1';
 export * from './src/subscribe';
 export * from './src/validation';
 export * from './src/utf8';
-export * from './src/uuid';
 export * from './src/exponential_backoff';
 export * from './src/formatters';
 export * from './src/compat';
diff --git a/packages/util/src/uuid.ts b/packages/util/src/uuid.ts

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,6 @@`
`15`	`15`	`* limitations under the License.`
`16`	`16`	`*/`
`17`	`17`
`18`		`-import { uuidv4 } from '@firebase/util';`
`19`	`18`	`import { expect, use } from 'chai';`
`20`	`19`	`import chaiAsPromised from 'chai-as-promised';`
`21`	`20`
`@@ -51,11 +50,11 @@ interface TaskListResponse {`
`51`	`50`
`52`	`51`	`const SEEDED_DATA = [`
`53`	`52`	`{`
`54`		`- id: uuidv4(),`
	`53`	`+ id: crypto.randomUUID(),`
`55`	`54`	`content: 'task 1'`
`56`	`55`	`},`
`57`	`56`	`{`
`58`		`- id: uuidv4(),`
	`57`	`+ id: crypto.randomUUID(),`
`59`	`58`	`content: 'task 2'`
`60`	`59`	`}`
`61`	`60`	`];`