OIDC cookie: use a cryptographically secure random string

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-06 06:10:54 +03:00 · 2024-11-20 18:28:43 +01:00
parent ed5ff9c5cc
commit f30a9a2095
4 changed files with 24 additions and 25 deletions
--- a/internal/util/util.go
+++ b/internal/util/util.go
@@ -22,8 +22,10 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
 	"errors"
@@ -550,7 +552,7 @@ func createDirPathIfMissing(file string, perm os.FileMode) error {
 	return nil
 }

-// GenerateRandomBytes generates the secret to use for JWT auth
+// GenerateRandomBytes generates random bytes with the specified length
 func GenerateRandomBytes(length int) []byte {
 	b := make([]byte, length)
 	_, err := io.ReadFull(rand.Reader, b)
@@ -560,6 +562,12 @@ func GenerateRandomBytes(length int) []byte {
 	return b
 }

+// GenerateOpaqueString generates a cryptographically secure opaque string
+func GenerateOpaqueString() string {
+	randomBytes := sha256.Sum256(GenerateRandomBytes(32))
+	return hex.EncodeToString(randomBytes[:])
+}
+
 // GenerateUniqueID returns an unique ID
 func GenerateUniqueID() string {
 	u, err := uuid.NewRandom()