Nonce generation uses insecure random

[chethega]

Consider this line.

This generates a nonce using the default random, which is Mersenne Twister. MT is not a CSPRNG, i.e. the internal state and hence all past and future random numbers can be extracted from a few random numbers from the stream.

The nonce generation should use a secure random instead. For example, const CSPRNG = Random.RandomDevice() and randstring(CSPRNG, length) would do the job.

Cf general discussion (here)[https://github.com/JuliaLang/julia/issues/32954].

[randyzwitch]

If this is important to you, I'm happy to accept a PR

[chethega]

It's not important to me personally, since I don't use OAuth.jl. But it does impact the security of all your users against replay attacks.

I'll ping you when julialang has settled on an official recommendation. I am guessing that the amount of affected users and the number of real-world attackers are small enough that this can wait until then, but you are in a better position to judge that.