Use cryptographically secure randomness for Magic Link code generation
#sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results.
This commit is contained in:
@@ -4,7 +4,7 @@ module MagicLink::Code
|
||||
|
||||
class << self
|
||||
def generate(length)
|
||||
length.times.map { CODE_ALPHABET.sample }.join
|
||||
Array.new(length) { CODE_ALPHABET[SecureRandom.random_number(CODE_ALPHABET.length)] }.join
|
||||
end
|
||||
|
||||
def sanitize(code)
|
||||
|
||||
Reference in New Issue
Block a user