fix(session): use dedicated SESSION_SECRET instead of JWT secret
Sharing the JWT secret with express-session means a single leaked secret compromises both auth mechanisms. SESSION_SECRET is now read from its own env var, falling back to SECRET only if not set.
This commit is contained in:
+1
-1
@@ -21,7 +21,7 @@ function createApp() {
|
|||||||
app.use(require('method-override')());
|
app.use(require('method-override')());
|
||||||
app.use(express.static(__dirname + '/../public'));
|
app.use(express.static(__dirname + '/../public'));
|
||||||
app.use(session({
|
app.use(session({
|
||||||
secret: config.secret,
|
secret: process.env.SESSION_SECRET || config.secret,
|
||||||
cookie: { maxAge: config.session_lifetime },
|
cookie: { maxAge: config.session_lifetime },
|
||||||
resave: false,
|
resave: false,
|
||||||
saveUninitialized: false
|
saveUninitialized: false
|
||||||
|
|||||||
Reference in New Issue
Block a user