[security] OAuth state parameter uses Math.random() — cryptographically weak, vulnerable to CSRF

[MehtabSandhu11]

The generateState() function in both auth.ts and connect.ts uses Math.random():

function generateState(): string {
  return Math.random().toString(36).substring(2, 15);
}

Math.random() is not cryptographically secure. The OAuth state parameter exists specifically to prevent CSRF attacks. Using a predictable value defeats this protection entirely.

Expected behaviour

The state parameter should be generated using crypto.randomBytes() to ensure it is cryptographically unpredictable.

Proposed fix

import crypto from 'crypto';

function generateState(): string {
  return crypto.randomBytes(32).toString('hex');
}

Files to touch

• apps/backend/src/routes/auth.ts
• apps/backend/src/routes/connect.ts

GSSoC 2026 — Assignment Request

I would like to work on this issue as part of GirlScript Summer of Code 2026. I have reviewed the codebase and understand the root cause and the fix required.

Could you please assign this issue to me?

GitHub: @MehtabSandhu11

Thank you!

[Disha286]

Hi @MehtabSandhu11!
I would like to work on this issue under GSSoC 2026, could you please assign this to me?
I'll have the PR done at the earliest!

[MehtabSandhu11]

Hi @Disha286
Unfortunately, I have already drafted the PR and am just waiting to be assigned so that I can push the PR myself

[MayurLochkar]

Proposed Fix & Why This is the Best Approach
The Issue: The current implementation relies on Math.random() to generate the OAuth state parameter. Since Math.random() is not cryptographically secure, the generated state is predictable. This fundamentally defeats the purpose of the state parameter, which exists specifically to prevent Cross-Site Request Forgery (CSRF) attacks during the OAuth flow.

The Solution: I have resolved this vulnerability by leveraging Node.js's native crypto module. This ensures the state parameter is genuinely unpredictable and meets cryptographic security standards.

Here is the implementation:

import crypto from 'crypto';

function generateState(): string {
return crypto.randomBytes(32).toString('hex');
}

Why my solution is the most optimal:

Security First: It entirely mitigates the CSRF vulnerability by using a proven, cryptographically secure PRNG (Pseudorandom Number Generator) built into Node.js.
Zero Dependencies: It uses the native crypto library, avoiding the need to install or maintain any third-party npm packages (like uuid or nanoid), keeping the bundle size down.
High Entropy: Generating 32 bytes of random data and encoding it to hex produces a high-entropy string that is completely unpredictable and immune to brute-force predictions.
Clean & Concise: The code change is minimal, isolated, and perfectly replaces the previous insecure implementation without needing broader architectural changes.

please submit my solution ...

[Harxhit]

@MehtabSandhu11
I’ve assigned this issue to you now. Also, please join our Discord community from the README section so we can communicate properly and provide valid labels for your contributions, which will help you score points in GSSoC.

[MayurLochkar]

Ok thanks.. for this ..

…

On Mon, 18 May, 2026, 12:30 am Harshit Singh Parihar, < ***@***.***> wrote: *Harxhit* left a comment (Dev-Card/DevCard#123) <#123 (comment)> @MehtabSandhu11 <https://github.com/MehtabSandhu11> I’ve assigned this issue to you now. Also, please join our Discord community from the README section so we can communicate properly and provide valid labels for your contributions, which will help you score points in GSSoC. — Reply to this email directly, view it on GitHub <#123 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BPY422Y2IGWFAKLWJUYUL4343ID4TAVCNFSM6AAAAACZA66PYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DINZSGE3TIMZQGY> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you commented.Message ID: ***@***.***>