The way IVs, keys and other tokens used for cryptographic purposes are generated by this framework fall-back to an insecure mode of generation:

e.g. https://github.com/henrylee2cn/faygo/blob/master/utils/rand.go

• Falling back to math/rand if crypto/rand fails is dangerous: if the system CSPRNG fails, you should consider crashing, restarting or trying again (and serve the user an opaque error where possible). You cannot trust the values of math/rand to be secure for session tokens, CSRF tokens or cryptographic keys because they are deterministic and may be guessed by an attacker.
• Conforming the generated bytes to a static alphabet introduces bias. Instead, you should just base64 (or base32, or hex) encode the generated bytes if they need to be consumed in a string context.

I've made a PR here that addresses these issues: #7

Further reading:

• http://www.2uo.de/myths-about-urandom/
• https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/

Thanks for your issues very much! I have merged your code and made same fixes.

https://github.com/henrylee2cn/faygo/blob/master/utils/rand.go#L25