Switch to using secrets module from os.urandom

binderhub/app.py

@@ -950,7 +950,7 @@ def initialize(self, *args, **kwargs):
                 "enable_api_only_mode": self.enable_api_only_mode,
             }
         )
-        self.tornado_settings["cookie_secret"] = os.urandom(32)
+        self.tornado_settings["cookie_secret"] = secrets.token_bytes(32)
         if self.cors_allow_origin:
             self.tornado_settings.setdefault("headers", {})[
                 "Access-Control-Allow-Origin"

binderhub/tests/conftest.py

@@ -3,9 +3,9 @@
 import inspect
 import json
 import os
+import secrets
 import subprocess
 import time
-from binascii import b2a_hex
 from collections import defaultdict
 from unittest import mock
 from urllib.parse import urlparse
@@ -379,7 +379,7 @@ def always_build(app, request):
     if REMOTE_BINDER:
         return
     # make it long to ensure we run into max build slug length
-    session_id = b2a_hex(os.urandom(16)).decode("ascii")
+    session_id = secrets.token_hex(16)
 
     def patch_provider(Provider):
         original_slug = Provider.get_build_slug

binderhub/tests/test_registry.py

@@ -2,7 +2,7 @@
 
 import base64
 import json
-import os
+import secrets
 from random import randint
 
 import pytest
@@ -129,9 +129,7 @@ def get(self):
             raise HTTPError(403, "Bad username %r" % username)
         if password != self.test_handle["password"]:
             raise HTTPError(403, "Bad password %r" % password)
-        self.test_handle["token"] = token = (
-            base64.encodebytes(os.urandom(5)).decode("ascii").rstrip()
-        )
+        self.test_handle["token"] = token = secrets.token_hex(8)
         self.set_header("Content-Type", "application/json")
         self.write(json.dumps({"token": token}))