From bc24f81c89d7773974a9a4a8a8249942143028dd Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 1 Apr 2026 11:20:14 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20[security]=20Replace=20insecure?=
 =?UTF-8?q?=20random=20with=20secrets=20for=20hardware=20ID?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The hardware ID generation was using the insecure `random` module, which is not suitable for generating secure identifiers. This commit replaces it with the cryptographically secure `secrets` module while maintaining the exact output format (prefix "V" + 32 uppercase hexadecimal characters).

🎯 **What:** The vulnerability fixed is the use of insecure randomness (via `random.randbytes`) for generating hardware IDs.
⚠️ **Risk:** Hardware IDs generated with `random` might be predictable, potentially allowing an attacker to guess or collision identifiers if the random seed is compromised or predictable.
🛡️ **Solution:** Switched to `secrets.token_hex(16).upper()`, which uses the system's best available source of randomness and is recommended for security-sensitive contexts.

Co-authored-by: rnovatorov <20299819+rnovatorov@users.noreply.github.com>
---
 src/enapter/http/api/devices/client.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/enapter/http/api/devices/client.py b/src/enapter/http/api/devices/client.py
index d097e03..a9519b3 100644
--- a/src/enapter/http/api/devices/client.py
+++ b/src/enapter/http/api/devices/client.py
@@ -1,4 +1,4 @@
-import random
+import secrets
 import time
 from typing import AsyncGenerator
 
@@ -161,4 +161,4 @@ def random_device_name(device_type: DeviceType) -> str:
 
 
 def random_hardware_id() -> str:
-    return "V" + "".join(f"{b:02X}" for b in random.randbytes(16))
+    return "V" + secrets.token_hex(16).upper()