-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fullstack boilerplate has APP_SECRET but it seems prisma token command uses PRISMA_SECRET #380
Comments
@keberox From what I have read here I think prisma token even though generates a JWT token is used to validate that a given prisma account or url belongs to you, as in the owner of that prisma account is only calling that url. Where as APP_SECRET is a JWT token which will be different and will be used to generate authorization token for an individual login session.
|
This may seem silly, but it seems neither "secret" values are hidden once the project is deployed... I'm seeing these secrets clearly shown in Prisma examples here on Github. I'm pretty new to the Prisma way of doing things. I'm used to things being hidden with .gitignore files and what not. Am I missing something very obvious?? How can I push commits to repos and not have anyone just grab these secrets and get access into the endpoints? |
@napierIO The JWT signed token WILL be public but Since those are environmental variables you should NOT be checking them into your repository. Hide them in More info on JWT tokens: https://github.com/auth0/node-jsonwebtoken |
Hello,
I wanted to give the fullstack react example a try.
I followed the steps in How To GraphQL and got to the point where in the Playground I was trying to query the server running at port :4000.
I followed the instructions of generating a token using
prisma token
and added the token to the authentication header.When I tried to run a query I was getting an "Invalid Signature".
After a while of looking at the server/src/util.js file that seems to authenticate the requests, I noticed it is using the APP_SECRET to verify the token
const { userId } = jwt.verify(token, process.env.APP_SECRET)
What I suspected is that
prisma token
command would use the PRISMA_SECRET and not the APP_SECRET, when I changed that to use the PRISMA_SECRET, the server started responding with data.If the above an issue in the boilerplate example or am I doing something wrong?
I read a couple blog posts about the difference between the 2 secrets and I think I get that the PRISMA_SECRET will never make it into the client and it will remain truely a secret, but I am not sure what the APP_SECRET is used for and why it is being used in the server/src/util.js logic?
I just feel I may be doing something wrong and would appreciate some help.
Thanks
The text was updated successfully, but these errors were encountered: