Use crypto/rand - Githubissues

qvest-digital / loginsrv

JWT login microservice with plugable backends such as OAuth2, Google, Github, htpasswd, osiam, ..

MIT License

1.92k stars 150 forks source link

Use crypto/rand #156

Closed g-w closed 4 years ago

g-w commented 4 years ago

loginsrv currently uses math/rand with the service start time as a seed to generate oauth2 states and other secrets. This is of course an security issue and hence math/rand gets replaced with crypto/rand which utilizes better sources of randomness.

Further this PR increases both the length of the default jwt secret to 264 byte and the length of the oauth2 state secret to 232 byte to avoid possible brute force attacks. (fixes #149)

coveralls commented 4 years ago

Coverage decreased (-0.3%) to 91.423% when pulling b059d963e350695e967e6ab55379464b47c5ce65 on g-w:crypto-rand into be2ae2ce04f3f9e5287e78121636134cc49b2fa2 on tarent:master.