From 8fbfd1454d76d395705615a6facd9df5cb4e8529 Mon Sep 17 00:00:00 2001
From: Ben Tranter <bwtrante@lakeheadu.ca>
Date: Fri, 3 Jun 2016 19:49:22 -0400
Subject: [PATCH] Use crypto/rand for XSRF token generation

Issue: #20

Uses crypto/rand instead of math/rand for XSRF token generation, as
@elithrar suggested. In that issue it was also suggested that we either
use gorilla/csrf or repurpose it for Golf, so this PR may not close the
issue.
---
 xsrf.go | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/xsrf.go b/xsrf.go
index 03d566d..9a26614 100644
--- a/xsrf.go
+++ b/xsrf.go
@@ -1,20 +1,21 @@
 package golf
 
 import (
+	"crypto/rand"
 	"encoding/hex"
-	"math/rand"
-	"time"
 )
 
 const chars = "abcdefghijklmnopqrstuvwxyz0123456789"
 
 func randomBytes(strlen int) []byte {
-	rand.Seed(time.Now().UTC().UnixNano())
-	result := make([]byte, strlen)
-	for i := 0; i < strlen; i++ {
-		result[i] = chars[rand.Intn(len(chars))]
+	b := make([]byte, strlen)
+	_, err := rand.Read(b)
+	if err != nil {
+		// panic on failure since this indicates a failure of the system's
+		// CSPRNG
+		panic(err)
 	}
-	return result
+	return b
 }
 
 func decodeXSRFToken(maskedToken string) ([]byte, []byte, error) {