refactor: replace base64url with hex encoding in token generation

[Copilot]

Token generation used base64url encoding, producing special characters (-, _) that complicate downstream handling.

Changes

• Replace crypto.randomBytes(32).toString('base64url') with crypto.randomBytes(22).toString('hex').slice(0, 43)
• Character set changes from [A-Za-z0-9_-] to [0-9a-f]
• Entropy reduced from 256 bits to 172 bits (sufficient for token use case)
• Token length remains 43 characters

// Before
export function generateCdeToken() {
    return crypto.randomBytes(32).toString('base64url');
}
// Output: "Xk7_mQ-pN2vLzR8qW3fH4jK9sT6uY1cV5bA0eGhIjK"

// After
export function generateCdeToken() {
    return crypto.randomBytes(22).toString('hex').slice(0, 43);
}
// Output: "a3f2d8e1b4c9f7e6a2d5c8b1e4f7a9c2d6e8f1a3b"

Files Modified

• util/token-generator.js

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/GlueOps/slackbot-developer-workspaces/pulls/400/commits
  • Triggering command: /usr/bin/curl curl -s -H Accept: application/vnd.github.v3+json REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Summary

Update the generateCdeToken function in util/token-generator.js to use hex encoding instead of base64url encoding to remove special characters from generated tokens.

Current Implementation

The current implementation uses base64url encoding which includes special characters - and _:

import crypto from 'crypto';

export function generateCdeToken() {
    return crypto.randomBytes(32).toString('base64url');
}

Desired Implementation

Replace with hex encoding to produce only alphanumeric characters (0-9, a-f):

import crypto from 'crypto';

/**
 * Generates a 43-character random token with only alphanumeric characters
 * Character set: 0-9, a-f (hex)
 */
export function generateCdeToken() {
    return crypto.randomBytes(22).toString('hex').slice(0, 43);
}

Why this change

• Removes special characters (- and _) from tokens
• Simpler implementation with no bias concerns
• Uses built-in Node.js functionality
• 172 bits of entropy is still highly secure

File to modify

• util/token-generator.js

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR replaces base64url encoding with hex encoding for CDE token generation to eliminate special characters (-, _) and simplify token handling. The change reduces entropy from 256 bits to 172 bits while maintaining cryptographic security.

Changes:

• Modified token generation from crypto.randomBytes(32).toString('base64url') to crypto.randomBytes(22).toString('hex').slice(0, 43)
• Updated documentation to reflect hex character set (0-9, a-f) instead of base64url
• Token length remains 43 characters

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.