fix: session upgrade percentage should be based on session, not request (#2371)

In #2356 a session would be upgraded to v2 refresh tokens based on the
number of requests for that session. If you set a percentage value of
10% and there's 100 refresh token requests per session, all sessions
would be upgraded within 1 day.

This is rectified here by converting the session ID to a value in the
`[0, 100)` range making sure that a random selection of sessions would
be upgraded consistently.

Author: hf

internal/tokens/service.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"hash/crc32"
 	mathRand "math/rand"
 	"net/http"
 	"net/url"
@@ -414,7 +415,15 @@ func (s *Service) RefreshTokenGrant(ctx context.Context, db *storage.Connection,
 
 					issuedToken = newToken.Token
 
-					shouldUpgrade := config.Security.RefreshTokenAlgorithmVersion == 2 && (config.Security.RefreshTokenUpgradePercentage >= 100 || mathRand.Intn(100) < config.Security.RefreshTokenUpgradePercentage) // #nosec
+					shouldUpgrade := config.Security.RefreshTokenAlgorithmVersion == 2 && config.Security.RefreshTokenUpgradePercentage > 0
+
+					if shouldUpgrade && config.Security.RefreshTokenUpgradePercentage < 100 {
+						// convert the session ID to a number in the range [0, 100) and check whether it should be upgraded
+						// we don't want a % of refresh token requests, but a % of sessions here!
+
+						sessionRand := mathRand.New(mathRand.NewSource(int64(crc32.ChecksumIEEE(session.ID.Bytes())))) // #nosec
+						shouldUpgrade = sessionRand.Intn(100) < config.Security.RefreshTokenUpgradePercentage          // #nosec
+					}
 
 					if shouldUpgrade {
 						// got v1 refresh token that should be upgraded to v2