From 9a1d9593b34a2e0dbcd29f917678522d40e6649f Mon Sep 17 00:00:00 2001
From: jvoisin <julien.voisin@dustri.org>
Date: Wed, 18 Jun 2025 16:12:39 +0200
Subject: [PATCH] refactor(crypto): use rand.Text() instead of a custom
 implementation

Go 1.24 provides the helpful rand.Text() function, returning a base32-encoded
string containing at least 128 bits of randomness. We should make use of it
everywhere it makes sense to do so, if only to not having to think about much
entropy do we need for each cases, and just trust the go crypto team.

Also, rand.Read() can't fail, so no need to check its return value:
https://pkg.go.dev/crypto/rand#Read This behaviour is consistent with go's
standard library itself.
---
 internal/crypto/crypto.go        | 11 +----------
 internal/storage/session.go      | 10 +++++-----
 internal/storage/user_session.go |  4 ++--
 3 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/internal/crypto/crypto.go b/internal/crypto/crypto.go
index c99beeb8..329c86e7 100644
--- a/internal/crypto/crypto.go
+++ b/internal/crypto/crypto.go
@@ -8,7 +8,6 @@ import (
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/subtle"
-	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 
@@ -28,18 +27,10 @@ func Hash(value string) string {
 // GenerateRandomBytes returns random bytes.
 func GenerateRandomBytes(size int) []byte {
 	b := make([]byte, size)
-	if _, err := rand.Read(b); err != nil {
-		panic(err)
-	}
-
+	rand.Read(b)
 	return b
 }
 
-// GenerateRandomString returns a random string.
-func GenerateRandomString(size int) string {
-	return base64.URLEncoding.EncodeToString(GenerateRandomBytes(size))
-}
-
 // GenerateRandomStringHex returns a random hexadecimal string.
 func GenerateRandomStringHex(size int) string {
 	return hex.EncodeToString(GenerateRandomBytes(size))
diff --git a/internal/storage/session.go b/internal/storage/session.go
index acb60e34..38270d6c 100644
--- a/internal/storage/session.go
+++ b/internal/storage/session.go
@@ -4,10 +4,10 @@
 package storage // import "miniflux.app/v2/internal/storage"
 
 import (
+	"crypto/rand"
 	"database/sql"
 	"fmt"
 
-	"miniflux.app/v2/internal/crypto"
 	"miniflux.app/v2/internal/model"
 )
 
@@ -19,9 +19,9 @@ func (s *Storage) CreateAppSessionWithUserPrefs(userID int64) (*model.Session, e
 	}
 
 	session := model.Session{
-		ID: crypto.GenerateRandomString(32),
+		ID: rand.Text(),
 		Data: &model.SessionData{
-			CSRF:     crypto.GenerateRandomString(64),
+			CSRF:     rand.Text(),
 			Theme:    user.Theme,
 			Language: user.Language,
 		},
@@ -33,9 +33,9 @@ func (s *Storage) CreateAppSessionWithUserPrefs(userID int64) (*model.Session, e
 // CreateAppSession creates a new application session.
 func (s *Storage) CreateAppSession() (*model.Session, error) {
 	session := model.Session{
-		ID: crypto.GenerateRandomString(32),
+		ID: rand.Text(),
 		Data: &model.SessionData{
-			CSRF: crypto.GenerateRandomString(64),
+			CSRF: rand.Text(),
 		},
 	}
 
diff --git a/internal/storage/user_session.go b/internal/storage/user_session.go
index 3661d852..a16f8b8d 100644
--- a/internal/storage/user_session.go
+++ b/internal/storage/user_session.go
@@ -4,10 +4,10 @@
 package storage // import "miniflux.app/v2/internal/storage"
 
 import (
+	"crypto/rand"
 	"database/sql"
 	"fmt"
 
-	"miniflux.app/v2/internal/crypto"
 	"miniflux.app/v2/internal/model"
 )
 
@@ -56,7 +56,7 @@ func (s *Storage) UserSessions(userID int64) (model.UserSessions, error) {
 
 // CreateUserSessionFromUsername creates a new user session.
 func (s *Storage) CreateUserSessionFromUsername(username, userAgent, ip string) (sessionID string, userID int64, err error) {
-	token := crypto.GenerateRandomString(64)
+	token := rand.Text()
 
 	tx, err := s.db.Begin()
 	if err != nil {