fix jwt token

lisong · lisong · commit 5f162ab3e90b · 2016-11-26T12:07:48.000+08:00
diff --git a/README.md b/README.md
@@ -82,9 +82,13 @@ $ vim config/config.js
     //文件下载地址 CodePush Server 地址 + '/download' download对应app.js里面的地址
     downloadUrl: "http://localhost:3000/download"
   },
+  jwt: {
+    // 登录jwt签名密钥，必须更改，否则有安全隐患，可以使用随机生成的字符串
+    // Recommended: 63 random alpha-numeric characters
+    // Generate using: https://www.grc.com/passwords.htm
+    tokenSecret: 'INSERT_RANDOM_TOKEN_KEY'
+  },
   common: {
-    //登录jwt签名密钥，必须更改，否则有安全隐患，可以使用随机生成的字符串
-    loginSecret: "CodePushServer",
     dataDir: "/Users/tablee/workspaces/data",
     //选择存储类型，目前支持local和qiniu配置
     storageType: "local"
@@ -110,7 +114,7 @@ or point config file and ENV
 $ CONFIG_FILE=/path/to/config.js NODE_ENV=production node ./bin/www # or CONFIG_FILE=/path/to/config.js NODE_ENV=production code-push-server
 ```
 
-notice. you have to change `loginSecret` in config.js for security.
+notice. you have to change `tokenSecret` in config.js for security.
 
 ## Default listen Host/Port  0.0.0.0/3000 
 you can change like this.
@@ -215,7 +219,6 @@ eg.
 ```json
 ...
 "common": {
-  "loginSecret": "CodePushServer",
   "codePushWebUrl": "Your CodePush Web address",
 }
 ...
diff --git a/config/config.js b/config/config.js
@@ -30,9 +30,12 @@ config.development = {
     // public static download spacename.
     public: '/download'
   },
+  jwt: {
+    // Recommended: 63 random alpha-numeric characters
+    // Generate using: https://www.grc.com/passwords.htm
+    tokenSecret: 'INSERT_RANDOM_TOKEN_KEY'
+  },
   common: {
-    // jwt sign secret for auth. you have to modify it for security. use random string instead it.
-    loginSecret: "CodePushServer",
     /*
      * tryLoginTimes is control login error times to avoid force attack.
      * if value is 0, no limit for login auth, it may not safe for account. when it's a number, it means you can
diff --git a/config/config.test.js b/config/config.test.js
@@ -14,8 +14,10 @@ config.test = {
     downloadUrl: "http://localhost:3000/download",
     public: '/download'
   },
+  jwt: {
+    tokenSecret: 'INSERT_RANDOM_TOKEN_KEY'
+  },
   common: {
-    loginSecret: "CodePushServer",
     tryLoginTimes: 10,
     diffNums: 3,
     dataDir: os.tmpdir(),
diff --git a/config/config.testwin.js b/config/config.testwin.js
@@ -14,8 +14,10 @@ config.test = {
     downloadUrl: "http://localhost:3000/download",
     public: '/download'
   },
+  jwt: {
+    tokenSecret: 'INSERT_RANDOM_TOKEN_KEY'
+  },
   common: {
-    loginSecret: "CodePushServer",
     tryLoginTimes: 10,
     diffNums: 3,
     dataDir: os.tmpdir(),
diff --git a/core/middleware.js b/core/middleware.js
@@ -36,9 +36,9 @@ var checkAccessToken = function (accessToken) {
       throw new Error('401 Unauthorized');
     }
     var config = require('../core/config');
-    var loginSecret = _.get(config, 'common.loginSecret');
+    var tokenSecret = _.get(config, 'jwt.tokenSecret');
     var jwt = require('jsonwebtoken');
-    var authData = jwt.verify(accessToken, loginSecret);
+    var authData = jwt.verify(accessToken, tokenSecret);
     var uid = _.get(authData, 'uid', null);
     var hash = _.get(authData, 'hash', null);
     if (parseInt(uid) > 0) {
diff --git a/routes/auth.js b/routes/auth.js
@@ -50,11 +50,11 @@ router.post('/login', function(req, res) {
   var account = _.trim(req.body.account);
   var password = _.trim(req.body.password);
   var config = require('../core/config');
-  var loginSecret = _.get(config, 'common.loginSecret');
+  var tokenSecret = _.get(config, 'jwt.tokenSecret');
   accountManager.login(account, password)
   .then(function (users) {
     var jwt = require('jsonwebtoken');
-    return jwt.sign({ uid: users.id, hash: security.md5(users.ack_code), expiredIn: 7200 }, loginSecret);
+    return jwt.sign({ uid: users.id, hash: security.md5(users.ack_code), expiredIn: 7200 }, tokenSecret);
   })
   .then(function (token) {
     res.send({status:'OK', results: {tokens: token}});
