DEV Community

Sammit Pal
Sammit Pal

Posted on

Building a Zero-Dependency Random String Generator for Node.js (With Secure Mode)

#typescript #javascript #node #opensource

Generating random strings is one of those things every backend developer ends up doing — IDs, tokens, session keys, you name it.

But while working on this, I realized most implementations fall into a few common traps:

  • Using Math.random() everywhere (not secure)
  • Inefficient "generate + filter" logic
  • Pulling heavy dependencies for a simple problem

So I decided to build a clean solution from scratch — and learned a few interesting things along the way.

❌ The Common Mistake

A lot of implementations generate from a full alphanumeric charset and then filter results using a regex check inside the loop — only keeping characters that match the desired type. This means:

Problems:

  • Wastes iterations (filtering)
  • Uses regex inside loops
  • Performance depends on randomness
  • Hard to maintain

✅ A Better Approach

Instead of generating and filtering — generate directly from the correct character set. Pre-define separate charsets for alpha, numeric, and alphanumeric, then index into the right one. This eliminates filtering entirely and keeps every iteration productive.

🔐 Adding a Secure Layer

For things like API keys, auth tokens, and session IDs — Math.random() is not enough.

So I implemented a secure version using the Web Crypto API (crypto.getRandomValues), with rejection sampling to eliminate modulo bias — ensuring every character in the charset has a perfectly uniform probability of being chosen.

🧠 Why This Matters

🔹 Cryptographic randomness
Uses OS-level entropy instead of pseudo-random numbers.

🔹 No modulo bias
Ensures uniform distribution of characters.

🔹 Predictable performance
O(n) complexity with no wasted iterations.

⚡ Final API Design

I wrapped everything into a simple interface:

generateCode({ length: 12 });
generateCode({ length: 12, type: "alpha" });
generateCode({ length: 12, secure: true });
Enter fullscreen mode Exit fullscreen mode

📦 The Result

I packaged this into a small utility: genkode — random string & ID generator (zero dependency).

import { generateCode } from "genkode";

generateCode({ length: 10 });
// "a8KxP2LmQz"
Enter fullscreen mode Exit fullscreen mode

👉 https://www.npmjs.com/package/genkode

💡 Key Takeaways

  • Avoid generate + filter patterns
  • Use the correct character domain upfront
  • Use crypto for anything security-related
  • Keep utilities simple and dependency-free

If you've tackled this differently or have suggestions, I'd love to hear them 👇

Top comments (0)