From 62a5e65c2ed35683d2beb786651bb3546f34ed99 Mon Sep 17 00:00:00 2001
From: Victor Vrantchan <groob@users.noreply.github.com>
Date: Wed, 7 Dec 2016 10:42:58 -0500
Subject: [PATCH] use random string instead of JWT for tokens. (#584)

uses a random URL encoded base64 string as the token for password reset
and invites.
---
 server/service/service_invites.go | 5 +++--
 server/service/service_users.go   | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/server/service/service_invites.go b/server/service/service_invites.go
index a9298e88f4..e5db93de0b 100644
--- a/server/service/service_invites.go
+++ b/server/service/service_invites.go
@@ -1,9 +1,9 @@
 package service
 
 import (
+	"encoding/base64"
 	"errors"
 
-	jwt "github.com/dgrijalva/jwt-go"
 	kolide_errors "github.com/kolide/kolide-ose/server/errors"
 	"github.com/kolide/kolide-ose/server/kolide"
 	"golang.org/x/net/context"
@@ -25,10 +25,11 @@ func (svc service) InviteNewUser(ctx context.Context, payload kolide.InvitePaylo
 		return nil, err
 	}
 
-	token, err := jwt.New(jwt.SigningMethodHS256).SignedString([]byte(svc.config.App.TokenKey))
+	random, err := kolide.RandomText(svc.config.App.TokenKeySize)
 	if err != nil {
 		return nil, err
 	}
+	token := base64.URLEncoding.EncodeToString([]byte(random))
 
 	invite := &kolide.Invite{
 		Email:     *payload.Email,
diff --git a/server/service/service_users.go b/server/service/service_users.go
index 6dae47830b..d3f412f7f7 100644
--- a/server/service/service_users.go
+++ b/server/service/service_users.go
@@ -5,7 +5,6 @@ import (
 	"encoding/base64"
 	"time"
 
-	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/kolide/kolide-ose/server/contexts/viewer"
 	"github.com/kolide/kolide-ose/server/kolide"
 	"golang.org/x/net/context"
@@ -180,10 +179,11 @@ func (svc service) RequestPasswordReset(ctx context.Context, email string) error
 		}
 	}
 
-	token, err := jwt.New(jwt.SigningMethodHS256).SignedString([]byte(svc.config.App.TokenKey))
+	random, err := kolide.RandomText(svc.config.App.TokenKeySize)
 	if err != nil {
 		return err
 	}
+	token := base64.URLEncoding.EncodeToString([]byte(random))
 
 	request := &kolide.PasswordResetRequest{
 		UpdateCreateTimestamps: kolide.UpdateCreateTimestamps{