From 9e87f0afed6f26605adb1661cdc32f5c07947c02 Mon Sep 17 00:00:00 2001
From: David Sheets <sheets@alum.mit.edu>
Date: Mon, 7 Sep 2020 10:04:31 +0100
Subject: [PATCH] home/auth: disable non-crypto RNG gosec lint check for
 session salt

Fixes #2078.
---
 home/auth.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/home/auth.go b/home/auth.go
index 36e56d05..afb7f0ed 100644
--- a/home/auth.go
+++ b/home/auth.go
@@ -276,7 +276,11 @@ type loginJSON struct {
 }
 
 func getSession(u *User) []byte {
-	d := []byte(fmt.Sprintf("%d%s%s", rand.Uint32(), u.Name, u.PasswordHash))
+	// the developers don't currently believe that using a
+	// non-cryptographic RNG for the session hash salt is
+	// insecure
+	salt := rand.Uint32() //nolint:gosec
+	d := []byte(fmt.Sprintf("%d%s%s", salt, u.Name, u.PasswordHash))
 	hash := sha256.Sum256(d)
 	return hash[:]
 }