OIDC cookie: use a cryptographically secure random string

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-06 22:30:56 +03:00 · 2024-11-20 18:28:43 +01:00
parent ed5ff9c5cc
commit f30a9a2095
4 changed files with 24 additions and 25 deletions
--- a/internal/httpd/oauth2.go
+++ b/internal/httpd/oauth2.go
@@ -15,8 +15,6 @@
 package httpd

 import (
-	"crypto/sha256"
-	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"sync"
@@ -53,10 +51,8 @@ type oauth2PendingAuth struct {
 }

 func newOAuth2PendingAuth(provider int, redirectURL, clientID string, clientSecret *kms.Secret) oauth2PendingAuth {
-	state := sha256.Sum256(util.GenerateRandomBytes(32))
-
 	return oauth2PendingAuth{
-		State:        hex.EncodeToString(state[:]),
+		State:        util.GenerateOpaqueString(),
 		Provider:     provider,
 		ClientID:     clientID,
 		ClientSecret: clientSecret,