fix(session): use dedicated SESSION_SECRET instead of JWT secret
Sharing the JWT secret with express-session means a single leaked secret compromises both auth mechanisms. SESSION_SECRET is now read from its own env var, falling back to SECRET only if not set.
This commit is contained in:
+1
-1
@@ -21,7 +21,7 @@ function createApp() {
|
||||
app.use(require('method-override')());
|
||||
app.use(express.static(__dirname + '/../public'));
|
||||
app.use(session({
|
||||
secret: config.secret,
|
||||
secret: process.env.SESSION_SECRET || config.secret,
|
||||
cookie: { maxAge: config.session_lifetime },
|
||||
resave: false,
|
||||
saveUninitialized: false
|
||||
|
||||
Reference in New Issue
Block a user