From b424d47755a32b616e8eb351c20207b1e7982516 Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Tue, 5 Feb 2019 17:32:18 -0300
Subject: [PATCH] invites: use secrets.token_urlsafe instead of os.urandom

---
 litecord/blueprints/invites.py | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/litecord/blueprints/invites.py b/litecord/blueprints/invites.py
index 70a23ba..acb860f 100644
--- a/litecord/blueprints/invites.py
+++ b/litecord/blueprints/invites.py
@@ -17,9 +17,9 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 """
 
+import re
+import secrets
 import datetime
-import base64
-import os
 
 from quart import Blueprint, request, current_app as app, jsonify
 from logbook import Logger
@@ -52,12 +52,8 @@ def gen_inv_code() -> str:
 
     This is a primitive and does not guarantee uniqueness.
     """
-    # TODO: should we really be depending on os.urandom?
-    raw = os.urandom(7)
-    raw = base64.b64encode(raw).decode()
-
-    raw = raw.replace('/', '')
-    raw = raw.replace('+', '')
+    raw = secrets.token_urlsafe(10)
+    raw = re.sub(r'\/|\+|\-|\_', '', raw)
 
     return raw[:7]