From 29b30b27e64d085d9b4c1ef8d98d471667eed3da Mon Sep 17 00:00:00 2001
From: Arlind <aru@fenja.ai>
Date: Wed, 17 Jun 2026 15:57:14 +0200
Subject: [PATCH] fix(auth): strengthen admin temp-password entropy to 128 bits
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

generateTempPassword() used randomBytes(4) — 32 bits behind a known
'Bifrost-' prefix — for a directly-usable login password set by the admin
reset action. Brute-forceable. Bump to randomBytes(16) (128 bits) base64url.
Flagged by automated security review.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 src/lib/auth.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index ff16f61..fc79ace 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -23,9 +23,11 @@ export function verifyPassword(password: string, hash: string): boolean {
 }
 
 /** A readable one-time password for admin resets. Give to the user; they
- *  change it from /account. */
+ *  change it from /account. 16 bytes = 128 bits of entropy from the CSPRNG
+ *  (the 'Bifrost-' prefix is fixed/known, so the randomness must carry the
+ *  full strength on its own). */
 export function generateTempPassword(): string {
-  return 'Bifrost-' + randomBytes(4).toString('hex');
+  return 'Bifrost-' + randomBytes(16).toString('base64url');
 }
 
 // ── Invite tokens ────────────────────────────────────────────────