Use crypto/rand for XSRF token generation

Issue: #20 Uses crypto/rand instead of math/rand for XSRF token generation, as @elithrar suggested. In that issue it was also suggested that we either use gorilla/csrf or repurpose it for Golf, so this PR may not close the issue.
dinever · Jun 3, 2016 · 8fbfd14 · 8fbfd14
1 parent 8adab8a
commit 8fbfd14
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/xsrf.go b/xsrf.go
@@ -1,20 +1,21 @@
 package golf
 
 import (
+	"crypto/rand"
 	"encoding/hex"
-	"math/rand"
-	"time"
 )
 
 const chars = "abcdefghijklmnopqrstuvwxyz0123456789"
 
 func randomBytes(strlen int) []byte {
-	rand.Seed(time.Now().UTC().UnixNano())
-	result := make([]byte, strlen)
-	for i := 0; i < strlen; i++ {
-		result[i] = chars[rand.Intn(len(chars))]
+	b := make([]byte, strlen)
+	_, err := rand.Read(b)
+	if err != nil {
+		// panic on failure since this indicates a failure of the system's
+		// CSPRNG
+		panic(err)
 	}
-	return result
+	return b
 }
 
 func decodeXSRFToken(maskedToken string) ([]byte, []byte, error) {