From 12b4d11d44055399085bf1d10136ffbe4255bcbe Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Mon, 4 Dec 2023 17:23:23 +0000 Subject: [PATCH] Use SecureRandom to generate user tokens --- lib/osm.rb | 11 ++--------- test/integration/user_creation_test.rb | 14 +++++++------- 2 files changed, 9 insertions(+), 16 deletions(-) diff --git a/lib/osm.rb b/lib/osm.rb index 905f3ac97..c7f8bef2f 100644 --- a/lib/osm.rb +++ b/lib/osm.rb @@ -502,15 +502,8 @@ module OSM end # Construct a random token of a given length - def self.make_token(length = 30) - chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" - token = "" - - length.times do - token += chars[(rand * chars.length).to_i].chr - end - - token + def self.make_token(length = 24) + SecureRandom.urlsafe_base64(length) end # Return an SQL fragment to select a given area of the globe diff --git a/test/integration/user_creation_test.rb b/test/integration/user_creation_test.rb index 2baa6f776..21e751bca 100644 --- a/test/integration/user_creation_test.rb +++ b/test/integration/user_creation_test.rb @@ -206,7 +206,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -359,7 +359,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_openid/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_openid/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -513,7 +513,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_google/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_google/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -665,7 +665,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_facebook/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_facebook/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -817,7 +817,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_microsoft/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_microsoft/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -971,7 +971,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_github/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_github/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end @@ -1125,7 +1125,7 @@ class UserCreationTest < ActionDispatch::IntegrationTest assert_equal register_email.to.first, new_email # Check that the confirm account url is correct - confirm_regex = Regexp.new("/user/redirect_tester_wikipedia/confirm\\?confirm_string=([a-zA-Z0-9]*)") + confirm_regex = Regexp.new("/user/redirect_tester_wikipedia/confirm\\?confirm_string=([a-zA-Z0-9_-]*)") email_text_parts(register_email).each do |part| assert_match confirm_regex, part.body.to_s end -- 2.39.5