From e0e080c599fe1d3e0e94039c3288d2169c44779b Mon Sep 17 00:00:00 2001
From: Nicholas Ellul <nicholas.ellul1@gmail.com>
Date: Tue, 9 Feb 2021 11:29:53 -0500
Subject: [PATCH] Use random bytes when generating nonce

---
 CHANGELOG.md       |  1 +
 src/utils/nonce.ts | 15 +++++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index db4fe2b0f..7719455cf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@ and adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 ### Added
 - Webhooks types are now exported outside the library [#91](https://github.com/shopify/shopify-node-api/pull/91)
 ### Fixed
+- Use cryptographically random bytes to generate nonce [#98](https://github.com/Shopify/shopify-node-api/pull/98)
 
 ## [0.3.1] - 2021-02-03
 ### Fixed
diff --git a/src/utils/nonce.ts b/src/utils/nonce.ts
index 3e284867b..1c6b74b6d 100644
--- a/src/utils/nonce.ts
+++ b/src/utils/nonce.ts
@@ -1,11 +1,14 @@
+import crypto from 'crypto';
+
 export default function nonce(): string {
   const length = 15;
-  let nonce = '';
+  const bytes = crypto.randomBytes(length);
 
-  for (let i = 0; i <= 3; i++) {
-    nonce += Math.round(Number(new Date()) * Math.random());
-  }
+  const nonce = bytes
+    .map((byte) => {
+      return byte % 10;
+    })
+    .join('');
 
-  const str = nonce.substr(nonce.length - length);
-  return str;
+  return nonce;
 }