Fullstack boilerplate has APP_SECRET but it seems prisma token command uses PRISMA_SECRET

[keberox]

Hello, I wanted to give the fullstack react example a try. I followed the steps in How To GraphQL and got to the point where in the Playground I was trying to query the server running at port :4000.

I followed the instructions of generating a token using prisma token and added the token to the authentication header. When I tried to run a query I was getting an "Invalid Signature".

After a while of looking at the server/src/util.js file that seems to authenticate the requests, I noticed it is using the APP_SECRET to verify the token

const { userId } = jwt.verify(token, process.env.APP_SECRET)

What I suspected is that prisma token command would use the PRISMA_SECRET and not the APP_SECRET, when I changed that to use the PRISMA_SECRET, the server started responding with data.

If the above an issue in the boilerplate example or am I doing something wrong?

I read a couple blog posts about the difference between the 2 secrets and I think I get that the PRISMA_SECRET will never make it into the client and it will remain truely a secret, but I am not sure what the APP_SECRET is used for and why it is being used in the server/src/util.js logic?

I just feel I may be doing something wrong and would appreciate some help. Thanks

[vivek12345]

@keberox From what I have read here https://www.howtographql.com/graphql-js/6-authentication/

I think prisma token even though generates a JWT token is used to validate that a given prisma account or url belongs to you, as in the owner of that prisma account is only calling that url.

Where as APP_SECRET is a JWT token which will be different and will be used to generate authorization token for an individual login session. You still need to create this APP_SECRET and also install the jwt library that’s used here.

The APP_SECRET is used to sign the JWTs which you’re issuing for your users. It is completely independent to the secret that’s specified in prisma.yml. In fact, it has nothing to do with Prisma at all, i.e. if you were to swap out the implementation of your database layer, the APP_SECRET would continue to be used in exactly the same way.

[napierIO]

This may seem silly, but it seems neither "secret" values are hidden once the project is deployed... I'm seeing these secrets clearly shown in Prisma examples here on Github.

I'm pretty new to the Prisma way of doing things. I'm used to things being hidden with .gitignore files and what not. Am I missing something very obvious?? How can I push commits to repos and not have anyone just grab these secrets and get access into the endpoints?

[danielmahon]

@napierIO The JWT signed token WILL be public but APP_SECRET is an env variable on your server so that should never get exposed to the client. The JWT token is what will allow your client app to authenticate to your GraphQL server. Not really any way around that but you should be rotating the tokens generated for users, setting expirations, and since that token only grants access to YOUR GraphQL server and NOT Prisma, you have complete control over what queries/mutations it can perform. The PRISMA_SECRET is to authenticate between servers, your GraphQL server and your Prisma server, again never making it to the client.

Since those are environmental variables you should NOT be checking them into your repository. Hide them in .gitignore and set the same variables (or different) on your host.

More info on JWT tokens: https://github.com/auth0/node-jsonwebtoken