From 929657fd348fd36ff9ac07a9d4936a35043377f5 Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Wed, 23 Apr 2025 00:16:36 +0200
Subject: [PATCH] chore(webui): improve the randomness of session cookies

Closes #24
---
 pkg/database/sessions.go | 13 ++++++-------
 pkg/webui/sessions.go    |  2 +-
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/pkg/database/sessions.go b/pkg/database/sessions.go
index d02f440..e8570d2 100644
--- a/pkg/database/sessions.go
+++ b/pkg/database/sessions.go
@@ -2,29 +2,28 @@ package database
 
 import (
 	"database/sql"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"time"
 
 	"git.adyxax.org/adyxax/tfstated/pkg/model"
-	"go.n16f.net/uuid"
+	"git.adyxax.org/adyxax/tfstated/pkg/scrypto"
 )
 
 func (db *DB) CreateSession(account *model.Account) (string, error) {
-	var sessionId uuid.UUID
-	if err := sessionId.Generate(uuid.V4); err != nil {
-		return "", fmt.Errorf("failed to generate session id: %w", err)
-	}
+	sessionBytes := scrypto.RandomBytes(32)
+	sessionId := base64.RawURLEncoding.EncodeToString(sessionBytes[:])
 	if _, err := db.Exec(
 		`INSERT INTO sessions(id, account_id, data)
 		   VALUES (?, ?, ?);`,
-		sessionId.String(),
+		sessionId,
 		account.Id,
 		"",
 	); err != nil {
 		return "", fmt.Errorf("failed insert new session in database: %w", err)
 	}
-	return sessionId.String(), nil
+	return sessionId, nil
 }
 
 func (db *DB) DeleteExpiredSessions() error {
diff --git a/pkg/webui/sessions.go b/pkg/webui/sessions.go
index 6bb1d5e..f3659e1 100644
--- a/pkg/webui/sessions.go
+++ b/pkg/webui/sessions.go
@@ -21,7 +21,7 @@ func sessionsMiddleware(db *database.DB) func(http.Handler) http.Handler {
 				return
 			}
 			if err == nil {
-				if len(cookie.Value) != 36 {
+				if len(cookie.Value) != 43 {
 					unsetSesssionCookie(w)
 				} else {
 					session, err := db.LoadSessionById(cookie.Value)