Replace Math.random with crypto.getBytes for session tokens

packages/node_modules/@node-red/editor-api/lib/auth/tokens.js

@@ -14,15 +14,7 @@
  * limitations under the License.
  **/
 
-function generateToken(length) {
-    var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
-    var token = [];
-    for (var i=0;i<length;i++) {
-        token.push(c[Math.floor(Math.random()*c.length)]);
-    }
-    return token.join("");
-}
-
+const crypto = require("crypto");
 
 var storage;
 var sessionExpiryTime
@@ -115,7 +107,7 @@ module.exports = {
     },
     create: function(user,client,scope) {
         return loadSessions().then(function() {
-            var accessToken = generateToken(128);
+            var accessToken = crypto.randomBytes(128).toString('base64');
 
             var accessTokenExpiresAt = Date.now() + (sessionExpiryTime*1000);
 

packages/node_modules/@node-red/editor-api/lib/editor/comms.js

@@ -16,6 +16,7 @@
 
 var ws = require("ws");
 var url = require("url");
+const crypto = require("crypto");
 
 var log = require("@node-red/util").log; // TODO: separate module
 var Tokens;
@@ -56,17 +57,9 @@ function handleSessionExpiry(session) {
         }
     })
 }
-function generateSession(length) {
-    var c = "ABCDEFGHIJKLMNOPQRSTUZWXYZabcdefghijklmnopqrstuvwxyz1234567890";
-    var token = [];
-    for (var i=0;i<length;i++) {
-        token.push(c[Math.floor(Math.random()*c.length)]);
-    }
-    return token.join("");
-}
 
 function CommsConnection(ws, user) {
-    this.session = generateSession(32);
+    this.session = crypto.randomBytes(32).toString('base64');
     this.ws = ws;
     this.stack = [];
     this.user = user;