From f26898d4c87aba088d3fa76bb9dbdcbd607d74ac Mon Sep 17 00:00:00 2001
From: Mehtab Singh <mehtabsandhu0028@gmail.com>
Date: Mon, 18 May 2026 12:32:56 +0530
Subject: [PATCH] fix: use randomBytes() instead of Math.random() for OAuth
 state generation

---
 apps/backend/src/routes/auth.ts    | 4 ++--
 apps/backend/src/routes/connect.ts | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/backend/src/routes/auth.ts b/apps/backend/src/routes/auth.ts
index e12f10a..062808b 100644
--- a/apps/backend/src/routes/auth.ts
+++ b/apps/backend/src/routes/auth.ts
@@ -1,5 +1,5 @@
 import type { FastifyInstance, FastifyRequest, FastifyReply } from 'fastify';
-
+import { randomBytes } from 'crypto';
 const GITHUB_AUTH_URL = 'https://github.com/login/oauth/authorize';
 const GITHUB_TOKEN_URL = 'https://github.com/login/oauth/access_token';
 const GITHUB_USER_URL = 'https://api.github.com/user';
@@ -287,5 +287,5 @@ export async function authRoutes(app: FastifyInstance) {
 }
 
 function generateState(): string {
-  return Math.random().toString(36).substring(2, 15);
+  return randomBytes(32).toString('hex');
 }
diff --git a/apps/backend/src/routes/connect.ts b/apps/backend/src/routes/connect.ts
index 952e845..68f8671 100644
--- a/apps/backend/src/routes/connect.ts
+++ b/apps/backend/src/routes/connect.ts
@@ -170,5 +170,5 @@ function parseGoogleState(state: string): ParsedOAuthState | null {
 }
 
 function generateState(): string {
-  return Math.random().toString(36).substring(2, 15);
+  return randomBytes(32).toString('hex');
 }