Remove the use of `rand`

Here is a patch for the current release.

Hi bbeversdorf,
Thanks for raising the issue. Can you explain a bit more why this is this really important, because as you say the outcome is the same due to the limited character set. I'm not against the change, just want to know more. It is a url to run a cron job, not someones account password.

Also we need to understand and ensure that the generated value is a valid url. Are there options / parameters availble on the passwordGenerator->generate() method for this?

The phpunit tests have not run due to DrupalCI halting if there is a coding standards fault. Can you fix that, so we see the tests run. Thanks.

Hi jonathan1055,

The initial reasoning was to use a "safe" way to generate a random ID versus a potentially "unsafe" way. I did not want to change the functionality of what you originally had and I wanted to rely on Core as they have "best practices" for Drupal.

I dug a little more into Drupal's cron key generation in core/modules/system/system.install. They are using $cron_key = Crypt::randomBytesBase64(55);. Here is the original issue ( https://www.drupal.org/project/drupal/issues/2140433 → ); rand is susceptible as the same "predictability" (https://www.php.net/manual/en/function.rand.php).

I've re-rolled the patch to follow Core.

Thanks bbeversdorf, that's very helpful info.
To get the tests running you need to set the issue status to 'needs review' or you can click on 'Add test'
At this stage you only need to make a patch against 2.x-dev as that is what will be tested.

I would prefer a Merge Request, see docs/develop/git/using-gitlab-to-contribute-to-drupal → . In 5 months patch testing will be removed from drupal.org and everything will be via MR and gitlab pipelines.