invites: use secrets.token_urlsafe instead of os.urandom

2019-02-05 17:32:18 -03:00 · 2019-02-05 17:32:18 -03:00 · b424d47755
parent 73e83c2b81
commit b424d47755
1 changed files with 4 additions and 8 deletions
--- a/litecord/blueprints/invites.py
+++ b/litecord/blueprints/invites.py
@ -17,9 +17,9 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.

 """

+import re
+import secrets
 import datetime
-import base64
-import os

 from quart import Blueprint, request, current_app as app, jsonify
 from logbook import Logger
@ -52,12 +52,8 @@ def gen_inv_code() -> str:

    This is a primitive and does not guarantee uniqueness.
    """
-    # TODO: should we really be depending on os.urandom?
-    raw = os.urandom(7)
-    raw = base64.b64encode(raw).decode()
-
-    raw = raw.replace('/', '')
-    raw = raw.replace('+', '')
+    raw = secrets.token_urlsafe(10)
+    raw = re.sub(r'\/|\+|\-|\_', '', raw)

    return raw[:7]