From ccd3d80baeb6967ef1022234d1d837669794a3b5 Mon Sep 17 00:00:00 2001 From: Paul Bienkowski Date: Sat, 27 Feb 2021 13:06:06 +0100 Subject: [PATCH] api: Configure jwt and cookie secret separately --- api/config.dev.json | 3 ++- api/{config.json.production => config.json.example} | 3 ++- api/src/config.js | 3 ++- api/src/index.js | 3 ++- api/src/models/User.js | 3 +-- api/src/passport.js | 4 ++-- 6 files changed, 11 insertions(+), 8 deletions(-) rename api/{config.json.production => config.json.example} (67%) diff --git a/api/config.dev.json b/api/config.dev.json index 3b7f9b1..ced6214 100644 --- a/api/config.dev.json +++ b/api/config.dev.json @@ -1,4 +1,5 @@ { - "secret": "CHANGEME!!!!!!!!!!@##@!!$$$$$$$$$$$$$!!", + "cookieSecret": "CHANGEME!!!!!!!!!!@##@!!$$$$$$$$$$$$$!!", + "jwtSecret": "CHANGEME??????????????////3212321;312kjbkasjd", "mail": false } diff --git a/api/config.json.production b/api/config.json.example similarity index 67% rename from api/config.json.production rename to api/config.json.example index 4e9a02f..94bd39b 100644 --- a/api/config.json.production +++ b/api/config.json.example @@ -1,5 +1,6 @@ { - "secret": "CHANGEME", + "cookieSecret": "CHANGEME!!!!!!!!!!!!!!!!!!!!!11", + "jwtSecret": "CHANGEME???????????????????////", "mail": { "from": "Sender Name ", "smtp" : { diff --git a/api/src/config.js b/api/src/config.js index a82d2d3..c41431d 100644 --- a/api/src/config.js +++ b/api/src/config.js @@ -4,7 +4,8 @@ const Joi = require('joi'); const configSchema = Joi.object() .required() .keys({ - secret: Joi.string().min(16).max(128).required(), + jwtSecret: Joi.string().min(16).max(128).required(), + cookieSecret: Joi.string().min(16).max(128).required(), mail: Joi.alternatives().try( Joi.object({ diff --git a/api/src/index.js b/api/src/index.js index 46f6ede..5d2b1ba 100644 --- a/api/src/index.js +++ b/api/src/index.js @@ -6,6 +6,7 @@ const cors = require('cors'); const errorhandler = require('errorhandler'); const passport = require('passport'); +const config = require('./config'); require('./passport'); const isProduction = process.env.NODE_ENV === 'production'; @@ -27,7 +28,7 @@ app.use(bodyParser.urlencoded({ limit: '50mb', extended: false })); app.use(require('method-override')()); app.use(express.static(path.join(__dirname, 'public'))); -app.use(session({ secret: 'obsobs', cookie: { maxAge: 10 * 60 * 1000 }, resave: false, saveUninitialized: false })); +app.use(session({ secret: config.cookieSecret, cookie: { maxAge: 10 * 60 * 1000 }, resave: false, saveUninitialized: false })); app.use(passport.initialize()); app.use(passport.session()); diff --git a/api/src/models/User.js b/api/src/models/User.js index 28ca006..91f9930 100644 --- a/api/src/models/User.js +++ b/api/src/models/User.js @@ -2,7 +2,6 @@ const mongoose = require('mongoose'); const uniqueValidator = require('mongoose-unique-validator'); const crypto = require('crypto'); const jwt = require('jsonwebtoken'); -const secret = require('../config').secret; const schema = new mongoose.Schema( { @@ -61,7 +60,7 @@ class User extends mongoose.Model { username: this.username, exp: parseInt(exp.getTime() / 1000), }, - secret, + config.jwtSecret, ); } diff --git a/api/src/passport.js b/api/src/passport.js index 0c21436..06e1fc2 100644 --- a/api/src/passport.js +++ b/api/src/passport.js @@ -6,7 +6,7 @@ const { Strategy: CustomStrategy } = require('passport-custom'); const { User, AccessToken, RefreshToken } = require('./models'); -const secret = require('./config').secret; +const config = require('./config'); // used to serialize the user for the session passport.serializeUser(function (user, done) { @@ -82,7 +82,7 @@ passport.use( 'jwt', new JwtStrategy( { - secretOrKey: secret, + secretOrKey: config.jwtSecret, jwtFromRequest: getRequestToken, algorithms: ['HS256'], },