node.js - Best practice to store secret for generating JWTs in a NodeJS app -
i using jwts authenticating users on spa (nodejs backend, angular frontend). have function in user model generate jwt when user signs in:
// ./models/user.js - waterline orm var waterline = require('waterline'); var bcrypt = require('bcrypt'); var jwt = require('jsonwebtoken'); // [...] generatejwt: function() { // set expiration 60 days var today = new date(); var exp = new date(today); exp.setdate(today.getdate() + 60); return jwt.sign({ _id: this.id, username: this.username, exp: parseint(exp.gettime() / 1000), }, 'secret'); // todo: real secret } // [...]
this 'secret' shouldn't hardcoded. , should not in codebase or in repo. best / secure way handle this? config file in shared folder symlinked when deploying? database?
Comments
Post a Comment