feat(auth, users): replace random number generation with cryptographically secure methods

HuanCheng65 · HuanCheng65 · commit c133bf991c59 · 2025-06-26T14:41:57.000+08:00
diff --git a/src/auth/auth.service.ts b/src/auth/auth.service.ts
@@ -11,6 +11,7 @@ import { Injectable } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import Ajv from 'ajv';
 import { readFileSync } from 'fs';
+import crypto from 'node:crypto';
 import { existsSync } from 'node:fs';
 import path from 'node:path';
 import {
@@ -248,7 +249,10 @@ export class AuthService {
 
     // 添加 0-5 分钟随机偏移
     const baseValidSeconds = 15 * 60;
-    const randomOffset = Math.floor(Math.random() * 300);
+    // Use cryptographically secure random number generator
+    const randomOffsetBytes = crypto.randomBytes(2);
+    const randomOffset =
+      ((randomOffsetBytes[0] << 8) | randomOffsetBytes[1]) % 300;
     const sudoValidSeconds = baseValidSeconds + randomOffset;
 
     const newAuthorization: Authorization = {
diff --git a/src/users/users.service.ts b/src/users/users.service.ts
@@ -33,6 +33,7 @@ import { isEmail } from 'class-validator';
 import { Request } from 'express';
 import Redis from 'ioredis';
 import assert from 'node:assert';
+import crypto from 'node:crypto';
 import { AnswerService } from '../answer/answer.service';
 import {
   InvalidCredentialsError,
@@ -131,7 +132,8 @@ export class UsersService {
   private generateVerifyCode(): string {
     let code: string = '';
     for (let i = 0; i < 6; i++) {
-      code += Math.floor(Math.random() * 10).toString()[0];
+      const randomByte = crypto.randomBytes(1)[0];
+      code += (randomByte % 10).toString();
     }
     return code;
   }
@@ -1859,7 +1861,7 @@ export class UsersService {
     providerUserId: string,
   ): string {
     const timestamp = Date.now();
-    const random = Math.random().toString(36).substring(2);
+    const random = crypto.randomBytes(8).toString('hex');
     return `oauth_${type}_${providerId}_${providerUserId}_${timestamp}_${random}`;
   }
 
@@ -2040,7 +2042,7 @@ export class UsersService {
           userId,
           providerId,
           providerUserId: userInfo.id,
-          rawProfile: userInfo,
+          rawProfile: userInfo as any,
         },
       });
     }
@@ -2260,7 +2262,8 @@ export class UsersService {
       'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*';
     let password = '';
     for (let i = 0; i < 16; i++) {
-      password += chars.charAt(Math.floor(Math.random() * chars.length));
+      const randomByte = crypto.randomBytes(1)[0];
+      password += chars.charAt(randomByte % chars.length);
     }
     return password;
   }
