I am using JWTs for authenticating users on a SPA (NodeJS backend, Angular frontend). I have a function in my User model to generate a JWT when the user signs in:
// ./models/user.js - with Waterline as ORM
var Waterline = require('Waterline');
var bcrypt = require('bcrypt');
var jwt = require('jsonwebtoken');
// [...]
generateJWT: function() {
// set expiration to 60 days
var today = new Date();
var exp = new Date(today);
exp.setDate(today.getDate() + 60);
return jwt.sign({
_id: this.id,
username: this.username,
exp: parseInt(exp.getTime() / 1000),
}, 'SECRET'); // TODO: Real secret
}
// [...]
This 'SECRET' shouldn't be hardcoded. And it should not be in the codebase or in my repo. So what is the best / most secure way to handle this? A config file in a shared folder that is symlinked when deploying? The database?