1 files changed, 11 insertions, 10 deletions

diff --git a/internal/authz/model.go b/internal/authz/model.go
index c43a159..0c55c15 100644
--- a/internal/authz/model.go
+++ b/internal/authz/model.go
@@ -6,12 +6,14 @@ import (
 	"encoding/hex"
 	"fmt"
 	"log/slog"
-	"math/big"
 	"os"
 
 	"golang.org/x/crypto/bcrypt"
 )
 
+// TokenSize is the number of random bytes used for token generation
+const TokenSize = 32
+
 // NewTokenMap create a new token map
 func NewTokenMap() TokenMap {
 	return TokenMap{}
@@ -42,17 +44,16 @@ func (tm TokenMap) LoadTokensFromFile(path string) error {
 	return err
 }
 
-// GenerateNewToken generate a new token
+// GenerateNewToken generates a new secure random token and its bcrypt hash
+// The token is 32 bytes (256 bits) of cryptographically secure random data
+// encoded as a 64-character hex string. The hash is a bcrypt hash of the
+// random bytes using default cost parameters.
 func GenerateNewToken() (string, string, error) {
-	tokenBytes := make([]byte, 28)
-	for i := range tokenBytes {
-		maxInt := big.NewInt(int64(255))
-		randInt, err := rand.Int(rand.Reader, maxInt)
-		if err != nil {
-			return "", "", err
-		}
-		tokenBytes[i] = uint8(randInt.Int64())
+	tokenBytes := make([]byte, TokenSize)
+	if _, err := rand.Read(tokenBytes); err != nil {
+		return "", "", fmt.Errorf("failed to generate random token: %w", err)
 	}
+
 	hashBytes, err := bcrypt.GenerateFromPassword(tokenBytes, bcrypt.DefaultCost)
 	if err != nil {
 		return "", "", err