refactor(crypto): use rand.Text() instead of a custom implementation

Go 1.24 provides the helpful rand.Text() function, returning a base32-encoded string containing at least 128 bits of randomness. We should make use of it everywhere it makes sense to do so, if only to not having to think about much entropy do we need for each cases, and just trust the go crypto team. Also, rand.Read() can't fail, so no need to check its return value: https://pkg.go.dev/crypto/rand#Read This behaviour is consistent with go's standard library itself.
2025-08-31 18:31:01 +00:00 · 2025-06-18 16:12:39 +02:00 · 2025-06-18 16:12:39 +02:00 · 9a1d9593b3
commit 9a1d9593b3
parent 43546976d2
3 changed files with 8 additions and 17 deletions
--- a/internal/storage/user_session.go
+++ b/internal/storage/user_session.go
@ -4,10 +4,10 @@
 package storage // import "miniflux.app/v2/internal/storage"

 import (
+	"crypto/rand"
 	"database/sql"
 	"fmt"

-	"miniflux.app/v2/internal/crypto"
 	"miniflux.app/v2/internal/model"
 )

@ -56,7 +56,7 @@ func (s *Storage) UserSessions(userID int64) (model.UserSessions, error) {

 // CreateUserSessionFromUsername creates a new user session.
 func (s *Storage) CreateUserSessionFromUsername(username, userAgent, ip string) (sessionID string, userID int64, err error) {
-	token := crypto.GenerateRandomString(64)
+	token := rand.Text()

 	tx, err := s.db.Begin()
 	if err != nil {