Remove usages of "crypto" module in browser #1247
Description
At the moment, LoopBack uses the builtin "crypto" modules in several place. When building a browser bundle, the crypto module adds whopping 650kb of code (unminified). We should review the usages of "crypto" module and replace them with a smaller implementation like sha.js and randombytes where possible.
This may be a breaking change.
A (partial) list of places to fix:
User.generateVerificationTokenusescrypto.randomBytes.
Proposal: use randombytes module instead.Change.hashusescrypto.createHash. Defaults tosha1, but allows the user to provide a custom value.
Proposal: remove the config option, always userequire('sha.js/sha1')instead. Users should override the wholeChange.hashmethod if they want to use a different algorithm.
BREAKING CHANGEApplication generateKeyusescrypto.createRandomBytesandcrypto.createHmac.
Proposal: either disable these methods in the browser or use a lightweight js-only implementation like hmac when running in the browser.AccessToken.createAccessTokenIdusesuid2which usescrypto.pseudoRandomBytes.
*Proposal: use randombytes module instead. Consider creating a different AccessToken model for the browser, since it's rather unusual to create new AccessTokens in the browser client.User.hasPasswordandUser.hashPasswordis usingbcryptjsthat needscrypto. See User passwords in the browser #1249 for the relevant discussion.- remote connector uses request that internally depends on crypto.
Note: crypto-browserify provides stream-based interface in many places where a plain string/buffer interface would be sufficient. The stream-based interface adds another 55kb via readable-stream and 43kb via browserify buffer. When picking a replacement for the crypto module, we should prefer low-level libraries without stream interface in order to keep the bundle size low.
In case we can't make the breaking change in Change.hash, then we can at least try to use directly create-hash instead of crypto.createHash, it should decrease the bundle size too.