fix: use crypto.randomBytes for session ID generation

generateSecureSessionId() used Math.random() which is cryptographically
predictable. Replace with crypto.randomBytes() so session IDs cannot
be guessed by observing previous values.

Author: ashsolei

api/sessions/create.js

@@ -3,6 +3,7 @@
  * /api/sessions/create
  */
 
+const crypto = require('crypto');
 const admin = require('firebase-admin');
 const jwt = require('jsonwebtoken');
 
@@ -28,9 +29,10 @@ if (!JWT_SECRET || !process.env.FIREBASE_PROJECT_ID) {
 // Generate secure session ID
 function generateSecureSessionId() {
   const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+  const bytes = crypto.randomBytes(8);
   let code = '';
   for (let i = 0; i < 8; i++) {
-    code += chars.charAt(Math.floor(Math.random() * chars.length));
+    code += chars.charAt(bytes[i] % chars.length);
   }
   return code;
 }