use more secure token_urlsafe

files/routes/admin.py

@@ -1890,7 +1890,7 @@ def delete_media_post(v):
 @admin_level_required(PERMS['USER_RESET_PASSWORD'])
 def admin_reset_password(user_id, v):
 	user = get_account(user_id)
-	new_password = secrets.token_hex(31)
+	new_password = secrets.token_urlsafe(57)
 	user.passhash = hash_password(new_password)
 	g.db.add(user)
 

files/routes/login.py

@@ -172,7 +172,7 @@ def sign_up_get(v:Optional[User]):
 		return render_template("login/sign_up_failed_ref.html"), 403
 
 	now = int(time.time())
-	token = secrets.token_hex(16)
+	token = secrets.token_urlsafe(32)
 	session["signup_token"] = token
 
 	formkey_hashstr = str(now) + token + g.agent
@@ -234,7 +234,7 @@ def sign_up_post(v:Optional[User]):
 			ref_user = None
 
 		now = int(time.time())
-		token = secrets.token_hex(16)
+		token = secrets.token_urlsafe(32)
 		session["signup_token"] = token
 		formkey_hashstr = str(now) + token + g.agent
 		formkey = hmac.new(key=bytes(SECRET_KEY, "utf-16"),

files/routes/wrappers.py

@@ -39,7 +39,7 @@ def calc_users():
 
 		if not session.get("session_id"):
 			session.permanent = True
-			session["session_id"] = secrets.token_hex(49)
+			session["session_id"] = secrets.token_urlsafe(98)
 
 		if v:
 			if session["session_id"] in loggedout: del loggedout[session["session_id"]]