loginsrv currently uses math/rand with the service start time as a seed to generate oauth2 states and other secrets. This is of course an security issue and hence math/rand gets replaced with crypto/rand which utilizes better sources of randomness.
Further this PR increases both the length of the default jwt secret to 264 byte and the length of the oauth2 state secret to 232 byte to avoid possible brute force attacks. (fixes #149)
Coverage decreased (-0.3%) to 91.423% when pulling b059d963e350695e967e6ab55379464b47c5ce65 on g-w:crypto-rand into be2ae2ce04f3f9e5287e78121636134cc49b2fa2 on tarent:master.
loginsrv currently uses
math/rand
with the service start time as a seed to generate oauth2 states and other secrets. This is of course an security issue and hencemath/rand
gets replaced withcrypto/rand
which utilizes better sources of randomness.Further this PR increases both the length of the default jwt secret to 264 byte and the length of the oauth2 state secret to 232 byte to avoid possible brute force attacks. (fixes #149)