use secure random value for challenge

src/pow.ts

@@ -1,4 +1,4 @@
-import { createHash } from 'crypto';
+import { createHash, randomBytes } from 'crypto';
 import type { Request, Response } from 'express';
 import type { Express } from 'express';
 import type { Dialect } from 'kysely';
@@ -122,17 +122,8 @@ export class ProofOfWork {
   }
 }
 
-const challengeCharacters =
-  'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
-
 function generateChallenge(): string {
-  let challenge = '';
-  while (challenge.length < 10) {
-    challenge += challengeCharacters.charAt(
-      Math.floor(Math.random() * challengeCharacters.length),
-    );
-  }
-  return challenge;
+  return randomBytes(10).toString('base64');
 }
 
 interface AuthorizedTenants {

tests/http-api.spec.ts

@@ -72,7 +72,7 @@ describe('http api', function () {
         challenge: string;
         complexity: number;
       };
-      expect(body.challenge.length).to.equal(10);
+      expect(body.challenge.length).to.equal(16);
       expect(body.complexity).to.equal(5);
     });
 
@@ -83,7 +83,7 @@ describe('http api', function () {
         challenge: string;
         complexity: number;
       };
-      expect(body.challenge.length).to.equal(10);
+      expect(body.challenge.length).to.equal(16);
       expect(body.complexity).to.equal(5);
 
       // solve the challenge
@@ -119,7 +119,7 @@ describe('http api', function () {
           challenge: string;
           complexity: number;
         };
-        expect(body.challenge.length).to.equal(10);
+        expect(body.challenge.length).to.equal(16);
 
         // solve the challenge
         let response = '';
@@ -172,7 +172,7 @@ describe('http api', function () {
         challenge: string;
         complexity: number;
       };
-      expect(body.challenge.length).to.equal(10);
+      expect(body.challenge.length).to.equal(16);
 
       // generate a nonce
       let response = generateNonce(5);