Use random_bytes from php7 for a reliable and secure random number ge…

…nerator - Included backwards compatibility - Dont ruin the good random with md5
authbucket · Aug 8, 2017 · aa9dfbd · aa9dfbd
1 parent d923b94
commit aa9dfbd
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/composer.json b/composer.json
@@ -42,7 +42,8 @@
         "symfony/http-foundation": "~3.2",
         "symfony/http-kernel": "~3.2",
         "symfony/security": "~3.2",
-        "symfony/validator": "~3.2"
+        "symfony/validator": "~3.2",
+        "paragonie/random_compat": "^2.0"
     },
     "require-dev": {
         "doctrine/data-fixtures": "~1.0",

diff --git a/src/ResponseType/CodeResponseTypeHandler.php b/src/ResponseType/CodeResponseTypeHandler.php
@@ -48,7 +48,7 @@ public function handle(Request $request)
         $codeManager = $this->modelManagerFactory->getModelManager('code');
         $class = $codeManager->getClassName();
         $code = new $class();
-        $code->setCode(md5(openssl_random_pseudo_bytes(256)))
+        $code->setCode(bin2hex(random_bytes(127)))
             ->setClientId($clientId)
             ->setUsername($username)
             ->setRedirectUri($redirectUri)

diff --git a/src/TokenType/BearerTokenTypeHandler.php b/src/TokenType/BearerTokenTypeHandler.php
@@ -75,7 +75,7 @@ public function createAccessToken(
         $accessTokenManager = $this->modelManagerFactory->getModelManager('access_token');
         $class = $accessTokenManager->getClassName();
         $accessToken = new $class();
-        $accessToken->setAccessToken(md5(openssl_random_pseudo_bytes(256)))
+        $accessToken->setAccessToken(bin2hex(random_bytes(127)))
             ->setTokenType('bearer')
             ->setClientId($clientId)
             ->setUsername($username)
@@ -101,7 +101,7 @@ public function createAccessToken(
             $refreshTokenManager = $this->modelManagerFactory->getModelManager('refresh_token');
             $class = $refreshTokenManager->getClassName();
             $refreshToken = new $class();
-            $refreshToken->setRefreshToken(md5(openssl_random_pseudo_bytes(256)))
+            $refreshToken->setRefreshToken(bin2hex(random_bytes(127)))
                 ->setClientId($clientId)
                 ->setUsername($username)
                 ->setExpires(new \DateTime('+1 days'))