From d6d1529e2dfb3e4a67fb34529509167bdb2b1c58 Mon Sep 17 00:00:00 2001
From: Thomas Schmitt <thomas.schmitt@uipath.com>
Date: Thu, 12 Jan 2023 14:02:01 +0200
Subject: [PATCH] Use crypto/rand for pkce and state generation

math/rand is only a pseudo-random number generator, use crypto/rand
instead for the secret generator
---
 auth/secret_generator.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/auth/secret_generator.go b/auth/secret_generator.go
index 91d9f25..89b236f 100644
--- a/auth/secret_generator.go
+++ b/auth/secret_generator.go
@@ -1,12 +1,11 @@
 package auth
 
 import (
+	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
-	"math/rand"
 	"strings"
-	"time"
 )
 
 type SecretGenerator struct{}
@@ -33,8 +32,10 @@ func (g SecretGenerator) base64Encode(value []byte) string {
 }
 
 func (g SecretGenerator) randomString(length int) string {
-	rand.Seed(time.Now().UnixNano())
 	b := make([]byte, length)
-	rand.Read(b)
+	_, err := rand.Read(b)
+	if err != nil {
+		panic(fmt.Errorf("Could not get cryptographically secure random numbers: %v", err))
+	}
 	return fmt.Sprintf("%x", b)[:length]
 }