improve customer and employee password reset token's randomness

[matthieu-rolland]

Questions	Answers
Branch?	develop
Description?	Use token generation best practice instead of using mt_rand() which is not cryptographically secure
Type?	improvement
Category?	CO
BC breaks?	no
Deprecations?	no
How to test?	Indicate how to verify that this change works as expected.
Fixed ticket?	none
Related PRs	test that password reset still functions for customer and employee
Sponsor company	@PrestaShopCorp

[Hlavtox]

Be extremely careful with this change. Customer's secure_key is validated against cart secure_key and order secure_key on many places. Make sure not to fuck up people's carts and orders after upgrading. 👍

[matthieu-rolland]

Be extremely careful with this change. Customer's secure_key is validated against cart secure_key and order secure_key on many places. Make sure not to fuck up people's carts and orders after upgrading. +1

I'm launching the full automatic test suite so that such problem would be detected

https://github.com/matthieu-rolland/ga.tests.ui.pr/actions/runs/4385534307

[Hlavtox]

@matthieu-rolland I am checking it right now and it should be safe. It always assigns the secure key of the customer and the customer is the first object created. And this will affect only new customers.

[matthieu-rolland]

actually this simple PR breaks a lot of things :D https://github.com/matthieu-rolland/ga.tests.ui.pr/actions/runs/4385534307/jobs/7678382320

[kpodemski]

@matthieu-rolland yep, in Customer ObjectModel there's a isMd5 for secure_key

[matthieu-rolland]

@matthieu-rolland yep, in Customer ObjectModel there's a isMd5 for secure_key

yep, I'll look further into it 👍 (in a meeting right now)

Edit: So, I need to add a new validation method for these tokens, and to increase the size of the reset_password_token field. Then add unit test for the validation method. I'll do it soon.