use secrets module instead of random

3f3a41d4 · nd · 34e97658 · 3f3a41d4 · 3f3a41d4
Verified Commit 3f3a41d4 authored 4 years ago by nd
--- a/uffd/__init__.py
+++ b/uffd/__init__.py
 import os
+import secrets

 from flask import Flask, redirect, url_for
 from werkzeug.routing import IntegerConverter
@@ -16,7 +17,7 @@ def create_app(test_config=None):
 	# set development default config values
 	app.config.from_mapping(
 		TEMPLATES_AUTO_RELOAD=True,
-		SECRET_KEY=os.urandom(128),
+		SECRET_KEY=secrets.token_hex(128),
 		SQLALCHEMY_DATABASE_URI="sqlite:///{}".format(os.path.join(app.instance_path, 'uffd.sqlit3')),
 		SQLALCHEMY_ECHO=True,
 	)

--- a/uffd/session/views.py
+++ b/uffd/session/views.py
 import datetime
-import random
+import secrets
 import string
 import functools

@@ -38,7 +38,7 @@ def login():
 		return redirect(url_for('.login'))
 	session['user_uid'] = user.uid
 	session['logintime'] = datetime.datetime.now().timestamp()
-	session['_csrf_token'] = ''.join(random.SystemRandom().choice(string.ascii_letters + string.digits) for _ in range(64))
+	session['_csrf_token'] = secrets.token_hex(128)
 	return redirect(request.values.get('ref', url_for('index')))

 def get_current_user():