From 21b4c4befb6c8ef7d51ee70426f30ea24abee256 Mon Sep 17 00:00:00 2001 From: ekzyis Date: Wed, 17 Sep 2025 22:50:55 +0200 Subject: [PATCH] Add comment about magic login code security (#2544) --- pages/api/auth/[...nextauth].js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pages/api/auth/[...nextauth].js b/pages/api/auth/[...nextauth].js index 8070d6ea..171c9a6b 100644 --- a/pages/api/auth/[...nextauth].js +++ b/pages/api/auth/[...nextauth].js @@ -408,7 +408,9 @@ function generateRandomString (length = 6, charset = BECH32_CHARSET) { const bytes = randomBytes(length) let result = '' - // Map each byte to a character in the charset + // Even though we're creating biased numbers by mapping each byte to a bech32 character, + // this is still secure because it provides 30 bits of security (32^6 = 2^30) + // and we are limiting the number of attempts. for (let i = 0; i < length; i++) { result += charset[bytes[i] % charset.length] }