From fc50b08499f47d296110d6cda8e3a3974161d1a6 Mon Sep 17 00:00:00 2001 From: edgerunnergit Date: Wed, 3 Jul 2024 04:52:07 +0530 Subject: [PATCH 1/2] make generate_session_key() public and change impl to use DistString --- actix-session/src/storage/utils.rs | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/actix-session/src/storage/utils.rs b/actix-session/src/storage/utils.rs index bc91988675..c4cacd9e19 100644 --- a/actix-session/src/storage/utils.rs +++ b/actix-session/src/storage/utils.rs @@ -1,17 +1,12 @@ -use rand::{distributions::Alphanumeric, rngs::OsRng, Rng as _}; - use crate::storage::SessionKey; +use rand::distributions::Alphanumeric; +use rand::distributions::DistString; /// Session key generation routine that follows [OWASP recommendations]. /// /// [OWASP recommendations]: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-id-entropy -pub(crate) fn generate_session_key() -> SessionKey { - let value = std::iter::repeat(()) - .map(|()| OsRng.sample(Alphanumeric)) - .take(64) - .collect::>(); - - // These unwraps will never panic because pre-conditions are always verified - // (i.e. length and character set) - String::from_utf8(value).unwrap().try_into().unwrap() +pub fn generate_session_key() -> SessionKey { + let session_key = Alphanumeric.sample_string(&mut rand::thread_rng(), 64); + // This unwrap should never panic because the String is guaranteed to be 64 alphanumeric characters + session_key.try_into().unwrap() } From 961f6a0d954670e88a19305de3dc75653a514a88 Mon Sep 17 00:00:00 2001 From: edgerunnergit Date: Wed, 3 Jul 2024 05:01:52 +0530 Subject: [PATCH 2/2] add changelong and use nightly fmt --- actix-session/CHANGES.md | 1 + actix-session/src/storage/utils.rs | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/actix-session/CHANGES.md b/actix-session/CHANGES.md index 1cdc19e258..4e3fafca22 100644 --- a/actix-session/CHANGES.md +++ b/actix-session/CHANGES.md @@ -6,6 +6,7 @@ - Rename `redis-rs-session` crate feature to `redis-session`. - Rename `redis-rs-tls-session` crate feature to `redis-session-native-tls`. - Remove `redis-actor-session` crate feature (and, therefore, the `actix-redis` based storage backend). +- Make `generate_session_key()` public and change it's implementation to use `DistString::sample_string` method. ## 0.9.0 diff --git a/actix-session/src/storage/utils.rs b/actix-session/src/storage/utils.rs index c4cacd9e19..a4742cf0a9 100644 --- a/actix-session/src/storage/utils.rs +++ b/actix-session/src/storage/utils.rs @@ -1,6 +1,6 @@ +use rand::distributions::{Alphanumeric, DistString}; + use crate::storage::SessionKey; -use rand::distributions::Alphanumeric; -use rand::distributions::DistString; /// Session key generation routine that follows [OWASP recommendations]. ///