feat: upgrade token security, upgrade go, packages, fix linting issues

Token generation changes:
1. Increasing to 32 bytes (256 bits) of entropy
2. Using crypto/rand.Read directly instead of loop

2 files changed, 24 insertions, 12 deletions

diff --git a/internal/admin/service_test.go b/internal/admin/service_test.go
index 06088bc..9af6bb9 100644
--- a/internal/admin/service_test.go
+++ b/internal/admin/service_test.go
@@ -108,7 +108,12 @@ func TestInitServer(t *testing.T) {
 			{"role:maintainers", "/thisismynewrepo/git-receive-pack", "POST"},
 		}
 		for _, policy := range expectedPolicies {
-			if !svc.HasPolicy(policy[0], policy[1], policy[2]) {
+			hasPolicy, err := svc.HasPolicy(policy[0], policy[1], policy[2])
+			if err != nil {
+				t.Log("error checking policies", err)
+				t.Fail()
+			}
+			if !hasPolicy {
 				t.Log("policy not found", policy)
 				t.Fail()
 			}
@@ -136,10 +141,16 @@ func TestInitServer(t *testing.T) {
 			{"role:admin", "/mgmt/git-receive-pack", "POST"},
 		}
 		for _, policy := range expectedPolicies {
-			if !svc.HasPolicy(policy[0], policy[1], policy[2]) {
+			hasPolicy, err := svc.HasPolicy(policy[0], policy[1], policy[2])
+			if err != nil {
+				t.Log("error checking policies", err)
+				t.Fail()
+			}
+			if !hasPolicy {
 				t.Log("policy not found", policy)
 				t.Fail()
 			}
+
 		}
 	})
 	t.Run("test an unitialized server config", func(t *testing.T) {
diff --git a/internal/authz/model.go b/internal/authz/model.go
index c43a159..0c55c15 100644
--- a/internal/authz/model.go
+++ b/internal/authz/model.go
@@ -6,12 +6,14 @@ import (
 	"encoding/hex"
 	"fmt"
 	"log/slog"
-	"math/big"
 	"os"
 
 	"golang.org/x/crypto/bcrypt"
 )
 
+// TokenSize is the number of random bytes used for token generation
+const TokenSize = 32
+
 // NewTokenMap create a new token map
 func NewTokenMap() TokenMap {
 	return TokenMap{}
@@ -42,17 +44,16 @@ func (tm TokenMap) LoadTokensFromFile(path string) error {
 	return err
 }
 
-// GenerateNewToken generate a new token
+// GenerateNewToken generates a new secure random token and its bcrypt hash
+// The token is 32 bytes (256 bits) of cryptographically secure random data
+// encoded as a 64-character hex string. The hash is a bcrypt hash of the
+// random bytes using default cost parameters.
 func GenerateNewToken() (string, string, error) {
-	tokenBytes := make([]byte, 28)
-	for i := range tokenBytes {
-		maxInt := big.NewInt(int64(255))
-		randInt, err := rand.Int(rand.Reader, maxInt)
-		if err != nil {
-			return "", "", err
-		}
-		tokenBytes[i] = uint8(randInt.Int64())
+	tokenBytes := make([]byte, TokenSize)
+	if _, err := rand.Read(tokenBytes); err != nil {
+		return "", "", fmt.Errorf("failed to generate random token: %w", err)
 	}
+
 	hashBytes, err := bcrypt.GenerateFromPassword(tokenBytes, bcrypt.DefaultCost)
 	if err != nil {
 		return "", "", err