Issues based on koolba's comments

[seveibar]

from koolba via hacker news

• You can promisify randomBytes once and reuse it rather than twice for every invocation
• There shouldn’t be a default value for the company name or people will end up using it.
• The company name isn’t validated so it could contain underscores which would cause issues with the short token parsing as it assumes it’s the second “chunk”
• The equals comparison of the hashes for the secrets is not timing safe. It’s not as bad as if they were plain text but it does short circuit due to how string equals works. Use the actual built in timing safe equals on the Buffer hash (not the stringified hex).

[puskuruk]

I've created a small pr for the 2 issues above. But I think we should improve it. We should give an error when there is no keyPrefix. What is the best approach for giving errors in your use case?

#3

[seveibar]

Hey @puskuruk ! Thanks for the PR, a big improvement. throw new Error("keyPrefix is required") is good and simple enough for now! Created #4 for anyone who wants to pick it up!