From 964d9f0cf3b7491b398faffcc57b5e0ab0e067d3 Mon Sep 17 00:00:00 2001
From: Fred Cox <frederick.j.cox@gmail.com>
Date: Tue, 8 Aug 2017 17:07:02 +0300
Subject: [PATCH] Use random_bytes from php7 for a reliable and secure random
 number generator - Included backwards compatibility - Dont ruin the good
 random with md5

---
 composer.json                                | 3 ++-
 src/ResponseType/CodeResponseTypeHandler.php | 2 +-
 src/TokenType/BearerTokenTypeHandler.php     | 4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/composer.json b/composer.json
index 0f7c216e..e5641347 100644
--- a/composer.json
+++ b/composer.json
@@ -42,7 +42,8 @@
         "symfony/http-foundation": "~3.2",
         "symfony/http-kernel": "~3.2",
         "symfony/security": "~3.2",
-        "symfony/validator": "~3.2"
+        "symfony/validator": "~3.2",
+        "paragonie/random_compat": "^2.0"
     },
     "require-dev": {
         "doctrine/data-fixtures": "~1.0",
diff --git a/src/ResponseType/CodeResponseTypeHandler.php b/src/ResponseType/CodeResponseTypeHandler.php
index bfe84d58..8c0a084f 100644
--- a/src/ResponseType/CodeResponseTypeHandler.php
+++ b/src/ResponseType/CodeResponseTypeHandler.php
@@ -48,7 +48,7 @@ public function handle(Request $request)
         $codeManager = $this->modelManagerFactory->getModelManager('code');
         $class = $codeManager->getClassName();
         $code = new $class();
-        $code->setCode(md5(openssl_random_pseudo_bytes(256)))
+        $code->setCode(bin2hex(random_bytes(64)))
             ->setClientId($clientId)
             ->setUsername($username)
             ->setRedirectUri($redirectUri)
diff --git a/src/TokenType/BearerTokenTypeHandler.php b/src/TokenType/BearerTokenTypeHandler.php
index 783f3bb7..403fcaa8 100644
--- a/src/TokenType/BearerTokenTypeHandler.php
+++ b/src/TokenType/BearerTokenTypeHandler.php
@@ -75,7 +75,7 @@ public function createAccessToken(
         $accessTokenManager = $this->modelManagerFactory->getModelManager('access_token');
         $class = $accessTokenManager->getClassName();
         $accessToken = new $class();
-        $accessToken->setAccessToken(md5(openssl_random_pseudo_bytes(256)))
+        $accessToken->setAccessToken(bin2hex(random_bytes(64)))
             ->setTokenType('bearer')
             ->setClientId($clientId)
             ->setUsername($username)
@@ -101,7 +101,7 @@ public function createAccessToken(
             $refreshTokenManager = $this->modelManagerFactory->getModelManager('refresh_token');
             $class = $refreshTokenManager->getClassName();
             $refreshToken = new $class();
-            $refreshToken->setRefreshToken(md5(openssl_random_pseudo_bytes(256)))
+            $refreshToken->setRefreshToken(bin2hex(random_bytes(64)))
                 ->setClientId($clientId)
                 ->setUsername($username)
                 ->setExpires(new \DateTime('+1 days'))