From 1891e573fc7ae7b64ee903863e0123ab0bbbdde9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arthur=20Fayzrakhmanov=20=28=D0=90=D1=80=D1=82=D1=83=D1=80?= =?UTF-8?q?=20=D0=A4=D0=B0=D0=B9=D0=B7=D1=80=D0=B0=D1=85=D0=BC=D0=B0=D0=BD?= =?UTF-8?q?=D0=BE=D0=B2=29?= Date: Fri, 12 Jun 2015 19:17:48 +0500 Subject: [PATCH] Use nonce package in Auth.GoogleEmail2 Generate CSRF tokens using `nonce` package --- yesod-auth/Yesod/Auth/GoogleEmail2.hs | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/yesod-auth/Yesod/Auth/GoogleEmail2.hs b/yesod-auth/Yesod/Auth/GoogleEmail2.hs index 92608623..4fa3eeed 100644 --- a/yesod-auth/Yesod/Auth/GoogleEmail2.hs +++ b/yesod-auth/Yesod/Auth/GoogleEmail2.hs @@ -71,8 +71,6 @@ import Network.HTTP.Client (parseUrl, requestHeaders, responseBody, urlEncodedBody, Manager) import Network.HTTP.Conduit (http) import Network.HTTP.Types (renderQueryText) -import Network.Mail.Mime (randomString) -import System.Random (newStdGen) import Yesod.Auth (Auth, AuthPlugin (AuthPlugin), AuthRoute, Creds (Creds), Route (PluginR), YesodAuth, @@ -85,6 +83,9 @@ import Yesod.Core (HandlerSite, MonadHandler, lookupSession, notFound, redirect, setSession, whamlet, (.:), TypedContent, HandlerT, liftIO) +import qualified Crypto.Nonce as Nonce +import System.IO.Unsafe (unsafePerformIO) + pid :: Text pid = "googleemail2" @@ -113,8 +114,7 @@ getCreateCsrfToken = do case mtoken of Just token -> return token Nothing -> do - stdgen <- liftIO newStdGen - let token = T.pack $ fst $ randomString 10 stdgen + token <- Nonce.nonce128urlT defaultNonceGen setSession csrfKey token return token @@ -549,3 +549,8 @@ allPersonInfo (A.Object o) = map enc $ M.toList o where enc (key, A.String s) = (key, s) enc (key, v) = (key, TL.toStrict $ TL.toLazyText $ A.encodeToTextBuilder v) allPersonInfo _ = [] + + +defaultNonceGen :: Nonce.Generator +defaultNonceGen = unsafePerformIO (Nonce.new) +{-# NOINLINE defaultNonceGen #-}