From 4ce83321955bb3b92a74d2957697ed8cbd8a2ffb Mon Sep 17 00:00:00 2001
From: Frederik Hahne <atomfrede@gmail.com>
Date: Sun, 15 Sep 2019 09:35:21 +0200
Subject: [PATCH] fix insecure random source for tokens

closes #183
---
 .../package/service/util/RandomUtil.kt.ejs    | 59 +++++++++++--------
 1 file changed, 33 insertions(+), 26 deletions(-)

diff --git a/generators/server/templates/src/main/kotlin/package/service/util/RandomUtil.kt.ejs b/generators/server/templates/src/main/kotlin/package/service/util/RandomUtil.kt.ejs
index 9b6457fc7..f79a601ec 100644
--- a/generators/server/templates/src/main/kotlin/package/service/util/RandomUtil.kt.ejs
+++ b/generators/server/templates/src/main/kotlin/package/service/util/RandomUtil.kt.ejs
@@ -20,44 +20,51 @@
 
 package <%=packageName%>.service.util
 
+import java.security.SecureRandom
 import org.apache.commons.lang3.RandomStringUtils
 
 private const val DEF_COUNT = 20
 
+private val secureRandom: SecureRandom = SecureRandom().apply{ nextBytes(ByteArray(64)) }
+
+private fun generateRandomAlphanumericString(): String {
+    return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, secureRandom)
+}
+
 /**
- * Generate a password.
- *
- * @return the generated password.
- */
-fun generatePassword(): String = RandomStringUtils.randomAlphanumeric(DEF_COUNT)
+* Generate a password.
+*
+* @return the generated password.
+*/
+fun generatePassword(): String = generateRandomAlphanumericString()
 
 /**
- * Generate an activation key.
- *
- * @return the generated activation key.
- */
-fun generateActivationKey(): String = RandomStringUtils.randomNumeric(DEF_COUNT)
+* Generate an activation key.
+*
+* @return the generated activation key.
+*/
+fun generateActivationKey(): String = generateRandomAlphanumericString()
 
 /**
- * Generate a reset key.
- *
- * @return the generated reset key.
- */
-fun generateResetKey(): String = RandomStringUtils.randomNumeric(DEF_COUNT)
+* Generate a reset key.
+*
+* @return the generated reset key.
+*/
+fun generateResetKey(): String = generateRandomAlphanumericString()
 <%_ if (authenticationType === 'session' && !reactive) { _%>
 
 /**
- * Generate a unique series to validate a persistent token, used in the
- * authentication remember-me mechanism.
- *
- * @return the generated series data.
- */
-fun generateSeriesData(): String = RandomStringUtils.randomAlphanumeric(DEF_COUNT)
+* Generate a unique series to validate a persistent token, used in the
+* authentication remember-me mechanism.
+*
+* @return the generated series data.
+*/
+fun generateSeriesData(): String = generateRandomAlphanumericString()
 
 /**
- * Generate a persistent token, used in the authentication remember-me mechanism.
- *
- * @return the generated token data.
- */
-fun generateTokenData(): String = RandomStringUtils.randomAlphanumeric(DEF_COUNT)
+* Generate a persistent token, used in the authentication remember-me mechanism.
+*
+* @return the generated token data.
+*/
+fun generateTokenData(): String = generateRandomAlphanumericString()
 <%_ } _%>