From 83da55dbd3fbbfa81aea0e2b48f405d0a65f8757 Mon Sep 17 00:00:00 2001
From: YuviPanda <yuvipanda@gmail.com>
Date: Sat, 14 Dec 2024 08:45:52 -0800
Subject: [PATCH] Switch to using secrets module from os.urandom

---
 binderhub/app.py                 | 2 +-
 binderhub/tests/conftest.py      | 4 ++--
 binderhub/tests/test_registry.py | 6 ++----
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/binderhub/app.py b/binderhub/app.py
index 430162314..dd14e1dd4 100644
--- a/binderhub/app.py
+++ b/binderhub/app.py
@@ -950,7 +950,7 @@ def initialize(self, *args, **kwargs):
                 "enable_api_only_mode": self.enable_api_only_mode,
             }
         )
-        self.tornado_settings["cookie_secret"] = os.urandom(32)
+        self.tornado_settings["cookie_secret"] = secrets.token_bytes(32)
         if self.cors_allow_origin:
             self.tornado_settings.setdefault("headers", {})[
                 "Access-Control-Allow-Origin"
diff --git a/binderhub/tests/conftest.py b/binderhub/tests/conftest.py
index 48faa3e74..4cd80b284 100644
--- a/binderhub/tests/conftest.py
+++ b/binderhub/tests/conftest.py
@@ -3,9 +3,9 @@
 import inspect
 import json
 import os
+import secrets
 import subprocess
 import time
-from binascii import b2a_hex
 from collections import defaultdict
 from unittest import mock
 from urllib.parse import urlparse
@@ -379,7 +379,7 @@ def always_build(app, request):
     if REMOTE_BINDER:
         return
     # make it long to ensure we run into max build slug length
-    session_id = b2a_hex(os.urandom(16)).decode("ascii")
+    session_id = secrets.token_hex(16)
 
     def patch_provider(Provider):
         original_slug = Provider.get_build_slug
diff --git a/binderhub/tests/test_registry.py b/binderhub/tests/test_registry.py
index 774fa08c1..8168448ba 100644
--- a/binderhub/tests/test_registry.py
+++ b/binderhub/tests/test_registry.py
@@ -2,7 +2,7 @@
 
 import base64
 import json
-import os
+import secrets
 from random import randint
 
 import pytest
@@ -129,9 +129,7 @@ def get(self):
             raise HTTPError(403, "Bad username %r" % username)
         if password != self.test_handle["password"]:
             raise HTTPError(403, "Bad password %r" % password)
-        self.test_handle["token"] = token = (
-            base64.encodebytes(os.urandom(5)).decode("ascii").rstrip()
-        )
+        self.test_handle["token"] = token = secrets.token_hex(8)
         self.set_header("Content-Type", "application/json")
         self.write(json.dumps({"token": token}))