Skip to content

WebServer/qBit session tokens need CSPRNG-backed generation

Summary

Legacy WebServer and qBittorrent-compatible authenticated sessions must not rely on predictable rand()/time-seeded token generation. Session token creation must use secure randomness and fail closed if secure generation is unavailable.

Disposition

Wont-Fix for beta 0.7.3 by release-owner decision on 2026-05-13. The legacy WebServer session-token hardening is not release scope and must not block the beta tag.

Acceptance Criteria

  • [ ] Session token generation uses a Windows CSPRNG-backed API or an existing project secure-random helper backed by one.
  • [ ] Token generation failure prevents session creation rather than issuing a weak token.
  • [ ] WebServer/qBit login behavior remains compatible on success.
  • [ ] Focused auth/session tests cover token creation success and failure.

Validation

  • python -m emule_workspace validate
  • Focused WebServer auth/session tests through the supported workspace test entrypoint.