refactor(crypto): use rand.Text() instead of a custom implementation

Go 1.24 provides the helpful rand.Text() function, returning a base32-encoded string containing at least 128 bits of randomness. We should make use of it everywhere it makes sense to do so, if only to not having to think about much entropy do we need for each cases, and just trust the go crypto team. Also, rand.Read() can't fail, so no need to check its return value: https://pkg.go.dev/crypto/rand#Read This behaviour is consistent with go's standard library itself.
2025-06-27 16:36:00 +00:00 · 2025-06-18 16:12:39 +02:00 · 2025-06-18 16:12:39 +02:00 · 9a1d9593b3
commit 9a1d9593b3
parent 43546976d2
3 changed files with 8 additions and 17 deletions
--- a/internal/crypto/crypto.go
+++ b/internal/crypto/crypto.go
@ -8,7 +8,6 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/subtle"
-	"encoding/base64"
 	"encoding/hex"
 	"fmt"

@ -28,18 +27,10 @@ func Hash(value string) string {
 // GenerateRandomBytes returns random bytes.
 func GenerateRandomBytes(size int) []byte {
 	b := make([]byte, size)
-	if _, err := rand.Read(b); err != nil {
-		panic(err)
-	}
-
+	rand.Read(b)
 	return b
 }

-// GenerateRandomString returns a random string.
-func GenerateRandomString(size int) string {
-	return base64.URLEncoding.EncodeToString(GenerateRandomBytes(size))
-}
-
 // GenerateRandomStringHex returns a random hexadecimal string.
 func GenerateRandomStringHex(size int) string {
 	return hex.EncodeToString(GenerateRandomBytes(size))
--- a/internal/storage/session.go
+++ b/internal/storage/session.go
@ -4,10 +4,10 @@
 package storage // import "miniflux.app/v2/internal/storage"

 import (
+	"crypto/rand"
 	"database/sql"
 	"fmt"

-	"miniflux.app/v2/internal/crypto"
 	"miniflux.app/v2/internal/model"
 )

@ -19,9 +19,9 @@ func (s *Storage) CreateAppSessionWithUserPrefs(userID int64) (*model.Session, e
 	}

 	session := model.Session{
-		ID: crypto.GenerateRandomString(32),
+		ID: rand.Text(),
 		Data: &model.SessionData{
-			CSRF:     crypto.GenerateRandomString(64),
+			CSRF:     rand.Text(),
 			Theme:    user.Theme,
 			Language: user.Language,
 		},
@ -33,9 +33,9 @@ func (s *Storage) CreateAppSessionWithUserPrefs(userID int64) (*model.Session, e
 // CreateAppSession creates a new application session.
 func (s *Storage) CreateAppSession() (*model.Session, error) {
 	session := model.Session{
-		ID: crypto.GenerateRandomString(32),
+		ID: rand.Text(),
 		Data: &model.SessionData{
-			CSRF: crypto.GenerateRandomString(64),
+			CSRF: rand.Text(),
 		},
 	}

--- a/internal/storage/user_session.go
+++ b/internal/storage/user_session.go
@ -4,10 +4,10 @@
 package storage // import "miniflux.app/v2/internal/storage"

 import (
+	"crypto/rand"
 	"database/sql"
 	"fmt"

-	"miniflux.app/v2/internal/crypto"
 	"miniflux.app/v2/internal/model"
 )

@ -56,7 +56,7 @@ func (s *Storage) UserSessions(userID int64) (model.UserSessions, error) {

 // CreateUserSessionFromUsername creates a new user session.
 func (s *Storage) CreateUserSessionFromUsername(username, userAgent, ip string) (sessionID string, userID int64, err error) {
-	token := crypto.GenerateRandomString(64)
+	token := rand.Text()

 	tx, err := s.db.Begin()
 	if err != nil {