You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We should let the user know if they use a unsafe JWT_SECRET when they are not using production. jsonwebtoken uses HS256 as algorithmen, I read an article that it is possible to actually brute force the secret of a HS256 algorithm when using a "bad" secret. Actually one should use a 256 bit secret. which is the equivalent of 32 charcaters, since 1 char is 8 bit.
It would be better to actually throw when using NODE_ENV=production and not using a strong secret. Also it would be good to let the user know if they are using a "good" secret.
I would recommend something similar to:
// api/services/production.service.jsconstproductionService=()=>{if(process.env.NODE_ENV// we have to choose a strong secret&&process.env.JWT_SECRET&&process.env.DB_NAME&&process.env.DB_USER&&process.env.DB_USER&&process.env.DB_PASS){if(process.env.JWT_SECRET.length<=31){thrownewError('Not safe for production: JWT_SECRET should be at least 256 bit, e.g. 32 characters long');}returntrue;}thrownewError('Not safe for production: you forgot to set one or more environment variables');};module.exports=productionService;
// api/services/auth.service.jsconstjwt=require('jsonwebtoken');constproductionService=require('./production.service');constsafeSecret=process.env.JWT_SECRET ? process.env.JWT_SECRET.length>=32 : true;constsecret=()=>{if((safeSecret&&process.env.JWT_SECRET)||(process.env.NODE_ENV==='production'&&productionService())){returnprocess.env.JWT_SECRET;}if(!safeSecret&&process.env.JWT_SECRET){console.error('\n\n\nYou are using a JWT_SECRET that would not be safe for production. Keep in mind that your secret should be at least 256 bit, e.g. 32 characters long.\n\n\n')returnprocess.env.JWT_SECRET;}return'secret';};constmySecret=secret();constauthService=()=>{constissue=(payload)=>jwt.sign(payload,mySecret,{expiresIn: 10800});constverify=(token,cb)=>jwt.verify(token,mySecret,{},cb);return{
issue,
verify,};};module.exports=authService;
The text was updated successfully, but these errors were encountered:
We should let the user know if they use a unsafe JWT_SECRET when they are not using
production
.jsonwebtoken
usesHS256
as algorithmen, I read an article that it is possible to actually brute force the secret of a HS256 algorithm when using a "bad" secret. Actually one should use a 256 bit secret. which is the equivalent of 32 charcaters, since 1 char is 8 bit.It would be better to actually throw when using
NODE_ENV=production
and not using a strong secret. Also it would be good to let the user know if they are using a "good" secret.I would recommend something similar to:
The text was updated successfully, but these errors were encountered: