Use 'secrets' module to generate secrets

Python 3.6+ has this

jupyterhub/app.py

@@ -9,6 +9,7 @@ import json
 import logging
 import os
 import re
+import secrets
 import signal
 import socket
 import sys
@@ -1458,7 +1459,7 @@ class JupyterHub(Application):
         if not secret:
             secret_from = 'new'
             self.log.debug("Generating new %s", trait_name)
-            secret = os.urandom(COOKIE_SECRET_BYTES)
+            secret = secrets.token_bytes(COOKIE_SECRET_BYTES)
 
         if secret_file and secret_from == 'new':
             # if we generated a new secret, store it in the secret_file

jupyterhub/singleuser/mixins.py

@@ -13,6 +13,7 @@ import importlib
 import json
 import os
 import random
+import secrets
 from datetime import datetime
 from datetime import timezone
 from textwrap import dedent
@@ -243,7 +244,7 @@ class SingleUserNotebookAppMixin(Configurable):
     cookie_secret = Bytes()
 
     def _cookie_secret_default(self):
-        return os.urandom(32)
+        return secrets.token_bytes(32)
 
     user = CUnicode().tag(config=True)
     group = CUnicode().tag(config=True)

jupyterhub/utils.py

@@ -8,6 +8,7 @@ import hashlib
 import inspect
 import os
 import random
+import secrets
 import socket
 import ssl
 import sys
@@ -319,7 +320,7 @@ def hash_token(token, salt=8, rounds=16384, algorithm='sha512'):
     """
     h = hashlib.new(algorithm)
     if isinstance(salt, int):
-        salt = b2a_hex(os.urandom(salt))
+        salt = b2a_hex(secrets.token_bytes(salt))
     if isinstance(salt, bytes):
         bsalt = salt
         salt = salt.decode('utf8')