LIMS-1612: Replace uniqid with openssl random pseudo bytes (#903)

* LIMS-1612 - add util fn for generating md5.

* test/LIMS-1612 - Setup Basic param tests.

* feat/LIMS-1612 - implement the new md5 util across all uses of uniqId

* fix/LIMS-1612 -  Fix PSALM faiure

* Merge pre-release/2025-R1.2 into master (#904)

* LIMS-1590: Dont allow name editing for lab contacts when login is set (#887)

* LIMS-1558: Add functionality for SMILES code for any sample (#880)

* LIMS-1490: Use callback URL for incoming dewars via shipping service (#852)

* LIMS-1570: Remove unused app file (#874)

* LIMS-1537: Add more options to reprocessing (#876)

* LIMS-1466: Disable dispatch form validation when using the shipping service (#891)

* fix/LIMS-1612  compatibility with LIMS-1490

---------

Co-authored-by: Mark W <24956497+ndg63276@users.noreply.github.com>

Author: RichB-DLS

api/src/Page/Cal.php

@@ -3,6 +3,7 @@
 namespace SynchWeb\Page;
 
 use SynchWeb\Page;
+use SynchWeb\Utils;
 
 class Cal extends Page
 {
@@ -24,11 +25,11 @@ function _external_link() {
                 if (sizeof($args)) {
                     $this->_output('/cal/ics/h/'.$args[0]['HASH'].'/calendar.ics');
                 } else {
-                    $h = md5(uniqid());
+                    $md5 = Utils::generateRandomMd5();
                     $this->db->pq("INSERT INTO calendarhash (calendarhashid,ckey,hash,beamline) 
-                        VALUES (s_calendarhash.nextval, :1, :2, :3)", array($arg, $h, $this->has_arg('bl') ? 1 : 0));
+                        VALUES (s_calendarhash.nextval, :1, :2, :3)", array($arg, $md5, $this->has_arg('bl') ? 1 : 0));
 
-                    $this->_output('/cal/ics/h/'.$h.'/calendar.ics');
+                    $this->_output('/cal/ics/h/'.$md5.'/calendar.ics');
                 }
             }
         }

api/src/Page/Download.php

@@ -12,6 +12,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use ZipStream\Option\Archive;
 use ZipStream\ZipStream;
+use SynchWeb\Utils;
 
 ini_set('max_execution_time', 0); // To allow large file downloads
 
@@ -66,7 +67,7 @@ function _sign_url()
     {
         if (!$this->has_arg('validity'))
             $this->_error('No validity specified');
-        $token = md5(uniqid());
+        $token = Utils::generateRandomMd5();
 
         $this->db->pq("INSERT INTO SW_onceToken (token, validity, proposalid, personid) VALUES (:1, :2, :3, :4)", array($token, $this->arg('validity'), $this->proposalid, $this->user->personId));
         $this->_output(array('token' => $token));

api/src/Page/Shipment.php

@@ -1066,7 +1066,7 @@ function _dispatch_dewar_shipment_request($dewar)
         $proposal = $dewar['PROPOSAL'];
         $external_id = (int) $dewar['DEWARID'];
         $shipping_id = (int) $dewar['SHIPPINGID'];
-        $token = md5(uniqid());
+        $token = Utils::generateRandomMd5();
         $this->db->pq(
             "UPDATE dewar SET extra = JSON_SET(IFNULL(extra, '{}'), '$.token', :1 ) WHERE dewarid=:2",
             array($token, $external_id)
@@ -3266,7 +3266,7 @@ function _create_shipment_shipment_request($shipment, array $dewars): int
 
         $shipping_id = (int) $shipment['SHIPPINGID'];
 
-        $token = md5(openssl_random_pseudo_bytes(7));
+        $token = Utils::generateRandomMd5(7);
         $this->db->pq(
             "UPDATE dewar SET extra = JSON_SET(IFNULL(extra, '{}'), '$.token', :1 ) WHERE shippingid=:2",
             array($token, $shipping_id)

api/src/Utils.php

@@ -2,6 +2,8 @@
 
 namespace SynchWeb;
 
+use InvalidArgumentException;
+
 class Utils
 {
     public static $exitOnError = true;
@@ -17,6 +19,20 @@ public static function returnError($title, $msg)
         }
     }
 
+    /**
+     * Generate a random 32 hex md5 string from a random byteString. Utilises openssl_random_pseudo_bytes under the hood.
+     * @uses [open_ssl_random_pseudo_bytes](https://www.php.net/manual/en/function.openssl-random-pseudo-bytes.php)
+     * @param int $length = 13 Specify the bytes of the random val. defaults to 13 as per uniqID(). This is likely enough for most uses.
+     * @return string
+     * @throws InvalidArgumentException if $length <= 0 
+     * @throws \Exception if openSSL fails
+     */
+    public static function generateRandomMd5(int $length = 13):  string {
+        if ($length <= 0) throw new InvalidArgumentException('byteLength must be > 0');
+        $bytes = openssl_random_pseudo_bytes($length);
+        return md5(bin2hex($bytes));
+    }
+
     public static function shouldLogUserActivityToDB($loginId): bool
     {
         global $log_activity_to_ispyb;

api/tests/Utils/UtilsTest.php

@@ -0,0 +1,36 @@
+<?php declare(strict_types=1);
+
+namespace SynchWeb;
+
+use InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+
+final class UtilsTest extends TestCase {
+    public function testMd5CreationFailsWithInvalidArgValue(): void {
+        $this->expectException(InvalidArgumentException::class);
+
+        Utils::generateRandomMd5(-10);
+    }
+
+    public function testMd5CreationSucceedsWithValidArgValue(): void {
+
+        $md5Hash = Utils::generateRandomMd5(5);
+
+        $this->assertNotEmpty($md5Hash );
+        $this->assertIsString($md5Hash );
+        $this->assertLessThanOrEqual(32, strlen($md5Hash));
+    }
+
+
+    public function testMd5CreationSucceedsWithEmptyArgValue(): void {
+
+        $md5Hash = Utils::generateRandomMd5();
+
+        $this->assertNotEmpty($md5Hash );
+        $this->assertIsString($md5Hash );
+        $this->assertLessThanOrEqual(32, strlen($md5Hash));
+    }
+
+
+}
+