21f3560e08
A hardcoded fallback 'acapisecret' was silently used when SECRET was not set, allowing JWT tokens to be forged by anyone knowing the default. The app now throws at module load time if SECRET is absent.
20 lines
437 B
JavaScript
20 lines
437 B
JavaScript
|
|
|
|
|
|
if (!process.env.SECRET) {
|
|
throw new Error('SECRET environment variable is required and must not be empty');
|
|
}
|
|
|
|
const config = {
|
|
secret: process.env.SECRET,
|
|
session_lifetime: parseInt(process.env.SESSION_LIFETIME) || 21600, // 21600 secondes = 6 heures
|
|
initAuth: () => {
|
|
require('./passport-local');
|
|
},
|
|
initApiKey: () => {
|
|
require('./passport-headerapikey');
|
|
}
|
|
};
|
|
|
|
module.exports = config;
|