is base64 encoding url safe?

Question

I'm using a node.bcrypt.js hash returning hex numbers in node.js for a password reset token.

user.reset_password_token = require('crypto').randomBytes(32).toString('hex'
);

Should I also base64 encode the token before I pass it around in urls (ie: link reset email)?

Is there any benefit to doing this?

I seem to recall base64 encoding can contain forward slashes which would mess up the path:

   var token = user.reset_password_token;

   //is there any benefit to doing base64 encoding?
   var encoded_token = new Buffer(token).toString('base64');

   var reset_link = 'http://example.com/reset/'+ encoded_token;
   sendResetLink( reset_link );

http://stackoverflow.com/questions/1374753/passing-base64-encoded-strings-in-url (no, points out non-URL safe characters), http://stackoverflow.com/questions/1228701/code-for-decoding-encoding-a-modified-base64-url (talks about modified version) — , Sep 27 '12 at 22:37
Here is an *old* answer I wrote [for an alternative way to address this](http://stackoverflow.com/questions/4395706/base64-encoding-that-doesnt-use-plus-or-equals-characters/4395900#4395900) that only requires a trivial pre/post replacement step for a variant base64 escape-encoding that doesn't require non-alphanumeric ASCII characters. — , Sep 27 '12 at 22:44

score 6 · Answer 1 · edited Nov 03 '20 at 12:30

6

I solved it using URLSafeBase64 nodejs LIB at https://www.npmjs.org/package/urlsafe-base64

var email =email_lines.join("\r\n").trim();
var base64EncodedEmail = URLSafeBase64.encode(new Buffer(email));
gmail.users.messages.send({userId:"me",
        resource: {raw:base64EncodedEmail} }, callbackFn});

edited Nov 03 '20 at 12:30

peterh

1
15
76
99

answered Nov 03 '14 at 20:36

Luis Loaiza

61
1
2

Ihor Sakailiuk · Answer 2 · 2022-04-21T10:13:35.613

4

You don't need a third-party library for that. You can just use base64url encoding (starting from nodejs v14.18.0)

const encoded_token = Buffer.from(token).toString('base64url');

edited Apr 21 '22 at 10:13

answered Feb 09 '22 at 11:43

Ihor Sakailiuk

4,714
3
22
26

Does not work on my side, the base64url library works like a charm – Kevin Kreps Apr 14 '22 at 13:54
I don't know when it was introduced exactly but v14.19.1 can handle base64url – Philipp Kyeck Apr 21 '22 at 07:59
v14.18.0 https://nodejs.org/docs/latest-v14.x/api/buffer.html – Ihor Sakailiuk Apr 21 '22 at 10:13

score 0 · Answer 3 · answered Feb 25 '19 at 04:07

0

Another option is base64url library:

base64url("ladies and gentlemen we are floating in space");
// bGFkaWVzIGFuZCBnZW50bGVtZW4gd2UgYXJlIGZsb2F0aW5nIGluIHNwYWNl

answered Feb 25 '19 at 04:07

Pavel Chuchuva

21,996
9
95
113

score -1 · Accepted Answer · answered Sep 27 '12 at 22:36

-1

base64 can indeed contain forward slashes, but base32 can't!

answered Sep 27 '12 at 22:36

Gung Foo

13,096
5
30
39

Does this implicitly imply that it base64 is unsuitable for URIs (e.g. are they *invalid*)? Or does it simply that handling needs to be different? – Sep 27 '12 at 22:46
1

look at the set of possible characters. if you do not change the available characters used for encoding, then a cell could (theoretically) equate to a value of 64, which would give you a / in your string. Change the charset for your base64 function or use base32 – Gung Foo Sep 27 '12 at 22:50
Thanks, do you think there is any benefit to using base32 encoded string, instead of the un-encoded token? – chovy Sep 28 '12 at 00:59
base32 encoded strings will take up more room than base64 ones since there is only half the characters to encode with, i see no benefit, no :) – Gung Foo Sep 28 '12 at 07:44

is base64 encoding url safe?

4 Answers4

Linked