The JWT secret is now in a separate file in the newly created folder keys in the root of the project - we are using a 1024bit private key (precaution against brute forcing hs256 - see https://auth0.com/blog/brute-forcing-hs256-is-possible-the-importance-of-using-strong-keys-to-sign-jwts/)

Author: bojidaryovchev

keys/jwt.private.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgHc9aU8P/1PUILe/lUIZye+0nu+o/pzQ5Hvsy+i0cjt/ISE+nl+2
+pTetLVoNaKaGYv2V0jFCkWAp+hsmvPutSsbh62gVtoqcQUJn0PyywTJukXVXzsVa
+EeSrEeEmWF3jmvi97Cg0BoVWrQqHhDdml3gYEPCWYUGlwDwS0ULNq/iJAgMBAAEC
+gYAOtGISP/TKz7QhNN0hQ7DlgK7A+2Q6zn/+0FrtHaOgtrLNOL2rLAj/7rlTC6hG
+MPhwMVO0g3MOGt8fDg3sM5iu9vip18Ekz3YIoZQQqUdYF0SwgZKPKz5wzzw+R7lU
+llmmqMkIY3YpLucpb/dpJBT9Y2zq0/J0o50ykGyTVs6+oQJBALX0dweLaD+yyePj
+VTyUiPlc7q0mUyOlo20z5eMfItzr2yOGadrxayYzDm+XEzBVEG3AMpyeEwFg1bK7
+bNfWf1UCQQCnw3mgSYZPShzLvvUGCyte4Ys4NoSnY7No6YbTO1/oA8iSnXR3KBZK
+kOgqZdpMPOkDoVDr+YS7wRS6c1lORMxlAkB90GBNszOOeA3pqdPSY9KiuoO+7nUm
+fO4YIH6hIXJ12BBa7CJd5fj1HPCqcIgwL2GAwhk8+oChv1eEktycEhFRAkEAmGZE
+A+8m2rqZxCEZlz7oTE4Z2Zv1D9bLcX/LIfKrIirltwLgfSpmbaCLt5BFKcKfbtPJ
+nkRSZvl0qhgFRcvL3QJAEqvabbcjmSL9IHMF02mJYs/cey2LFqjhge++zY+sr91d
+nMqwJ1mue4XQVaSZfSF8GNk+YpR7DFNgKJEaQB4q9w==
+-----END RSA PRIVATE KEY-----

keys/jwt.public.key

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgHc9aU8P/1PUILe/lUIZye+0nu+o
+/pzQ5Hvsy+i0cjt/ISE+nl+2pTetLVoNaKaGYv2V0jFCkWAp+hsmvPutSsbh62gV
+toqcQUJn0PyywTJukXVXzsVaEeSrEeEmWF3jmvi97Cg0BoVWrQqHhDdml3gYEPCW
+YUGlwDwS0ULNq/iJAgMBAAE=
+-----END PUBLIC KEY-----

src/server/config/config.ts

@@ -1,4 +1,4 @@
-import { normalize, join } from 'path';
+import { extractKey } from '../utilities/keys';
 
 interface IEnvironmentConfig {
   rootPath: string;
@@ -18,14 +18,15 @@ interface IConfig {
 }
 
 const rootPath = process.cwd();
+const jwtSecret = extractKey(`${rootPath}/keys/jwt.private.key`);
 
 const Config: IConfig = {
   development: {
     rootPath,
     db: 'mongodb://localhost:27017/store',
     httpPort: 1337,
     wsPort: 1338,
-    jwtSecret: 'secret',
+    jwtSecret,
     domain: 'localhost',
     httpProtocol: 'http',
     wsProtocol: 'ws'

src/server/modules/auth/auth.service.ts

@@ -40,14 +40,8 @@ export class AuthService {
     };
   }
 
-  async validateUser(payload: any): Promise<boolean> {
-    const user: IUser = await this.userModel.findById(payload.sub);
-
-    if (user) {
-      return true;
-    }
-
-    return false;
+  async findUserById(id: string): Promise<IUser> {
+    return await this.userModel.findById(id);
   }
 
   async requestFacebookRedirectUri(): Promise<{redirect_uri: string}> {

src/server/modules/auth/interfaces/jwt-payload.interface.ts

@@ -0,0 +1,5 @@
+export interface IJwtPayload {
+  sub: string;
+  iat: number;
+  exp: number;
+};

src/server/modules/auth/passport/jwt.strategy.ts

@@ -5,6 +5,8 @@ import { ExtractJwt, Strategy } from 'passport-jwt';
 
 import { AuthService } from '../auth.service';
 import { SERVER_CONFIG, MESSAGES } from '../../../server.constants';
+import { IUser } from '../../user/interfaces/user.interface';
+import { IJwtPayload } from '../interfaces/jwt-payload.interface';
 
 @Injectable()
 export class JwtStrategy extends Strategy {
@@ -15,16 +17,19 @@ export class JwtStrategy extends Strategy {
         passReqToCallback: true,
         secretOrKey: SERVER_CONFIG.jwtSecret,
       },
-      async (req: Request, payload: any, next: Function) => await this.verify(req, payload, next),
+      async (req: Request, payload: IJwtPayload, next: Function) =>
+        await this.verify(payload, next)
     );
-    use(this);
+    use('jwt', this);
   }
 
-  public async verify(req: Request, payload: any, done: Function) {
-    const isValid = await this.authService.validateUser(payload);
-    if (!isValid) {
+  public async verify(payload: IJwtPayload, done: Function) {
+    const user: IUser = await this.authService.findUserById(payload.sub);
+
+    if (!user) {
       return done(new UnauthorizedException(MESSAGES.UNAUTHORIZED_UNRECOGNIZED_BEARER), false);
     }
-    done(null, payload);
+
+    done(null, user);
   }
 }

src/server/utilities/keys.ts

@@ -0,0 +1,8 @@
+import { readFileSync } from 'fs';
+
+export function extractKey(path: string) {
+  return readFileSync(path)
+    .toString()
+    .replace(/\n|\r/g, '')
+    .replace(/[-]+[\w\s]+[-]+/g, '');
+}