From: Tom Hughes Date: Mon, 4 Dec 2023 17:23:23 +0000 (+0000) Subject: Use SecureRandom to generate user tokens X-Git-Tag: live~983 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/12b4d11d44055399085bf1d10136ffbe4255bcbe?ds=sidebyside Use SecureRandom to generate user tokens --- diff --git a/lib/osm.rb b/lib/osm.rb index 905f3ac97..c7f8bef2f 100644 --- a/lib/osm.rb +++ b/lib/osm.rb @@ -502,15 +502,8 @@ module OSM end # Construct a random token of a given length - def self.make_token(length = 30) - chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" - token = "" - - length.times do - token += chars[(rand * chars.length).to_i].chr - end - - token + def self.make_token(length = 24) + SecureRandom.urlsafe_base64(length) end # Return an SQL fragment to select a given area of the globe diff --git a/test/integration/user_creation_test.rb b/test/integration/user_creation_test.rb index 2baa6f776..21e751bca 100644 --- a/test/integration/user_creation_test.rb +++ b/test/integration/user_creation_test.rb @@ -206,7 +206,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -359,7 +359,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_openid/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_openid/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -513,7 +513,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_google/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_google/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -665,7 +665,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_facebook/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_facebook/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -817,7 +817,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_microsoft/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_microsoft/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -971,7 +971,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_github/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_github/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -1125,7 +1125,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_wikipedia/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_wikipedia/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end