From 7ab06d1dbd67fbbaf4f66a2223b8c4310b526d99 Mon Sep 17 00:00:00 2001 From: "Stanko K.R." Date: Wed, 3 Dec 2025 20:15:27 +0100 Subject: [PATCH] Use cryptographically secure randomness for Magic Link code generation #sample uses PRNG under the hood which is pseudo random, which means that given enough magic link codes you can predict which code would come next. To fix that we have to switch to CSPRNG - SecureRandom.random_number - which isn't easy to predict based on previous results. --- app/models/magic_link/code.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/magic_link/code.rb b/app/models/magic_link/code.rb index 6af1619d8..2bcc0c4e6 100644 --- a/app/models/magic_link/code.rb +++ b/app/models/magic_link/code.rb @@ -4,7 +4,7 @@ module MagicLink::Code class << self def generate(length) - length.times.map { CODE_ALPHABET.sample }.join + Array.new(length) { CODE_ALPHABET[SecureRandom.random_number(CODE_ALPHABET.length)] }.join end def sanitize(code)