Better nonce generator

[paragonie-scott]

Offending code:

• https://github.com/Lusitanian/PHPoAuthLib/blob/09f4af38f17db6938253f4d1b171d537913ac1ed/src/OAuth/OAuth1/Service/AbstractService.php#L255-L273
• https://github.com/Lusitanian/PHPoAuthLib/blob/09f4af38f17db6938253f4d1b171d537913ac1ed/src/OAuth/OAuth2/Service/AbstractService.php#L276

How to do it instead:

https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php

[PeeHaa]

Am I missing something here?

The nonce in oauth is more used to prevent the service from processing the same request multiple times and not to prevent some security issue.

Worst case means valid requests will be flagged as invalid.

Without a way for the attacker to use their own new nonce and ability to create a new valid signature with it what good is it to the attacker.

Not arguing it's a suboptimal solution

[paragonie-scott]

Am I missing something here?

Nope. I just wanted to call attention to it and suggest using random_int() and bin2hex(random_bytes(16)) respectively.