Staging by jakeaturner · Pull Request #688 · LibreTexts/conductor

jakeaturner · 2026-02-17T06:07:27Z

No description provided.

server/api/services/agent.ts

+   * Create a new session
+   */
+  async createSession(userId?: string): Promise<string> {
+    const sessionId = `session_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;


In general, to fix insecure randomness you should replace Math.random() (or similarly weak PRNGs) wherever they are used to generate security-sensitive values (session IDs, tokens, passwords, etc.) with a cryptographically secure random number generator. In Node.js, the standard solution is crypto.randomBytes() from the built-in crypto module, which uses a CSPRNG. Convert those bytes to a URL-safe or hex string of sufficient length and use that as the random component of your identifier.

For this specific case, we should change createSession so that it no longer uses Math.random() and instead uses crypto.randomBytes to generate the random segment. We will keep the overall behavior and string format (a session_ prefix and timestamp) but change only the random suffix generation. That means:

Add an import of Node’s crypto module at the top of server/api/services/agent.ts.

In createSession, replace Math.random().toString(36).substr(2, 9) with something like crypto.randomBytes(16).toString('hex'), which yields 32 hex characters (128 bits of randomness).

Keep the rest of the method intact so that how sessionId is stored and used remains unchanged.

Concretely:

Modify server/api/services/agent.ts:

Add import crypto from 'crypto'; (or import * as crypto from 'crypto';) alongside existing imports.

Update line 51 to build sessionId using crypto.randomBytes(...) instead of Math.random().

Co-authored-by: Jake Turner <52841588+jakeaturner@users.noreply.github.com>

…and APIs

This reverts commit e9b148d.

libretexts-bot · 2026-02-17T06:39:16Z

🎉 This PR is included in version 2.116.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

github-advanced-security bot found potential problems Feb 17, 2026

View reviewed changes

AkhilTheBoss and others added 26 commits February 16, 2026 22:08

feat: added AI Agent MVP (#649)

195051d

Co-authored-by: Jake Turner <52841588+jakeaturner@users.noreply.github.com>

chore(deps): regen lockfiles

f435aba

fix(SupportAgent): ensure user auth optional

f67d4e8

fix(deps): override broken dep

c0f6f11

feat(Search): meilisearch beta testing

a81fdf1

feat(Support): add office hours link

c74baa2

fix(API): meilisearch URL

d713bd2

feat: added account creation banner to support ticket form

0d86cbd

feat: removed recently edited projects

b30e2b2

chore(ui): hide Student ID column from Central Identity Users list

4abb683

fix(support): added horizontal scrollbar in support dashboard

2649aad

fix(home): add a 3-row layout for XL-screens

c3d45ff

refactor: removed debugging statements

557905e

chore(conductor): remove Users Manager and related unused components …

d27487b

…and APIs

style: improved spacing and layout in campus settings view

4073223

feat: allow Bulk Download from Commons View

dc5dec7

fix: max name length for Lulu

a58009a

feat: address comments

e60af2a

feat(store-checkout): added store shipping timeline

3223be5

fix: fix checkout page horizontal overflow on mobile

b3b7c94

fix(Store): shipping timeline layout

ed25a07

fix(Campus Settings): cleanup deprecated settings

cae3ae5

refactor: remove unused component

0a4ade8

Revert "feat: removed recently edited projects"

0699330

This reverts commit e9b148d.

fix(Support): temp disable Ask Benny

96cb7be

feat(Search): migrate project search to Meilisearch

ba3ddda

jakeaturner force-pushed the staging branch from a5d3032 to ba3ddda Compare February 17, 2026 06:11

feat(Store): email notif to bookstore contact on order fail or rejection

a57244d

jakeaturner merged commit c7a84aa into master Feb 17, 2026
6 of 7 checks passed

libretexts-bot added the released label Feb 17, 2026

@@ -14,6 +14,7 @@
               buildSystemPrompt,
             } from './prompts.js';
             import axios from 'axios';
+            import crypto from 'crypto';
             export interface AgentSource {
               number: number;
@@ -48,7 +49,8 @@
                * Create a new session
                */
               async createSession(userId?: string): Promise<string> {
-                const sessionId = `session_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+                const randomSuffix = crypto.randomBytes(16).toString('hex');
+                const sessionId = `session_${Date.now()}_${randomSuffix}`;
                 await AgentHistory.create({
                   sessionId,

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

Staging#688

Staging#688
jakeaturner merged 27 commits intomasterfrom
staging

jakeaturner commented Feb 17, 2026

Uh oh!

Check failure

Copilot Autofix

Uh oh!

libretexts-bot commented Feb 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Comments

Conversation

jakeaturner commented Feb 17, 2026

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Uh oh!

libretexts-bot commented Feb 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants