From 555a3694c96edb293bebe6b296bae083d48674de Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Fri, 3 Apr 2026 21:50:57 +0530
Subject: [PATCH] fix(crypto): use crypto/rand for HMAC key generation

HMAC keys were generated using UUID (which uses math/rand internally
for some implementations). Now uses crypto/rand for 32 bytes of
cryptographic randomness, hex-encoded.

Fixes: M3 (Medium)
---
 internal/crypto/hmac.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/internal/crypto/hmac.go b/internal/crypto/hmac.go
index a70916b7c..2ad976a4f 100644
--- a/internal/crypto/hmac.go
+++ b/internal/crypto/hmac.go
@@ -1,13 +1,17 @@
 package crypto
 
 import (
-	"github.com/google/uuid"
+	"crypto/rand"
+	"encoding/hex"
 )
 
-// NewHMAC key returns new key that can be used to ecnrypt data using HMAC algo
-// returns key, string, error
+// NewHMACKey returns a new cryptographically random key for HMAC signing.
 func NewHMACKey(algo, keyID string) (string, string, error) {
-	key := uuid.New().String()
+	keyBytes := make([]byte, 32)
+	if _, err := rand.Read(keyBytes); err != nil {
+		return "", "", err
+	}
+	key := hex.EncodeToString(keyBytes)
 	jwkPublicKey, err := GetPubJWK(algo, keyID, []byte(key))
 	if err != nil {
 		return "", "", err