refactor(api): use secure RNG, closes #1356 (#1398)

.changes/secure-rng.md

@@ -0,0 +1,5 @@
+---
+"api": patch
+---
+
+Use secure RNG on callback function names.

api/src/tauri.ts

@@ -7,27 +7,12 @@ declare global {
   }
 }
 
-function s4(): string {
-  return Math.floor((1 + Math.random()) * 0x10000)
-    .toString(16)
-    .substring(1)
-}
-
 function uid(): string {
-  return (
-    s4() +
-    s4() +
-    '-' +
-    s4() +
-    '-' +
-    s4() +
-    '-' +
-    s4() +
-    '-' +
-    s4() +
-    s4() +
-    s4()
-  )
+  const length = new Int8Array(1)
+  window.crypto.getRandomValues(length)
+  const array = new Uint8Array(Math.max(16, Math.abs(length[0])))
+  window.crypto.getRandomValues(array)
+  return array.join('')
 }
 
 function transformCallback(

tauri/scripts/core.js

@@ -7,29 +7,14 @@ if (!String.prototype.startsWith) {
 }
 
 (function () {
-  function s4() {
-    return Math.floor((1 + Math.random()) * 0x10000)
-      .toString(16)
-      .substring(1);
+  function uid() {
+    const length = new Int8Array(1)
+    window.crypto.getRandomValues(length)
+    const array = new Uint8Array(Math.max(16, Math.abs(length[0])))
+    window.crypto.getRandomValues(array)
+    return array.join('')
   }
 
-  var uid = function () {
-    return (
-      s4() +
-      s4() +
-      "-" +
-      s4() +
-      "-" +
-      s4() +
-      "-" +
-      s4() +
-      "-" +
-      s4() +
-      s4() +
-      s4()
-    );
-  };
-
   function ownKeys(object, enumerableOnly) {
     var keys = Object.keys(object);
     if (Object.getOwnPropertySymbols) {