JWT Secret Keys Exposed in Node.js Applications

// SECURE: JWT implementation using environment variables
const jwt = require('jsonwebtoken');
const crypto = require('crypto');

// Validate JWT secret at startup
const JWT_SECRET = process.env.JWT_SECRET;
const REFRESH_SECRET = process.env.JWT_REFRESH_SECRET;

if (!JWT_SECRET || !REFRESH_SECRET) {
    console.error('Missing required JWT secrets in environment variables');
    process.exit(1);
}

// Validate secret strength
if (JWT_SECRET.length < 32 || REFRESH_SECRET.length < 32) {
    console.error('JWT secrets must be at least 32 characters long');
    process.exit(1);
}

class TokenService {
    generateAccessToken(user) {
        return jwt.sign(
            { 
                userId: user.id, 
                username: user.username, 
                role: user.role,
                tokenType: 'access'
            },
            JWT_SECRET,
            { 
                expiresIn: process.env.JWT_EXPIRES_IN || '15m',
                issuer: process.env.JWT_ISSUER || 'app',
                audience: process.env.JWT_AUDIENCE || 'users'
            }
        );
    }

    generateRefreshToken(user) {
        return jwt.sign(
            { 
                userId: user.id,
                tokenType: 'refresh'
            },
            REFRESH_SECRET,
            { 
                expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d',
                issuer: process.env.JWT_ISSUER || 'app'
            }
        );
    }

    verifyAccessToken(token) {
        return jwt.verify(token, JWT_SECRET);
    }

    verifyRefreshToken(token) {
        return jwt.verify(token, REFRESH_SECRET);
    }
}

// SECURE: Authentication middleware without secret exposure
const jwt = require('jsonwebtoken');
const winston = require('winston');

// Configure secure logger
const logger = winston.createLogger({
    level: 'info',
    format: winston.format.combine(
        winston.format.timestamp(),
        winston.format.errors({ stack: true }),
        winston.format.json()
    ),
    transports: [
        new winston.transports.File({ filename: 'auth.log' })
    ]
});

class AuthMiddleware {
    constructor(tokenService) {
        this.tokenService = tokenService;
    }

    authenticate(req, res, next) {
        const authHeader = req.headers['authorization'];
        const token = authHeader && authHeader.split(' ')[1];

        if (!token) {
            logger.warn('Authentication attempt without token', {
                ip: req.ip,
                userAgent: req.get('User-Agent'),
                path: req.path
            });
            return res.status(401).json({ error: 'Access token required' });
        }

        try {
            const decoded = this.tokenService.verifyAccessToken(token);
            
            // Validate token type
            if (decoded.tokenType !== 'access') {
                throw new Error('Invalid token type');
            }
            
            req.user = {
                userId: decoded.userId,
                username: decoded.username,
                role: decoded.role
            };

            // SECURE: Log success without exposing secrets
            logger.info('Authentication successful', {
                userId: decoded.userId,
                username: decoded.username,
                ip: req.ip,
                path: req.path
            });

            next();
        } catch (error) {
            // SECURE: Error handling without exposing secrets
            logger.error('Authentication failed', {
                error: error.message,
                errorType: error.name,
                ip: req.ip,
                path: req.path,
                // Never log the token or secret
                tokenPresent: !!token
            });

            if (error.name === 'TokenExpiredError') {
                return res.status(401).json({ 
                    error: 'Token expired',
                    code: 'TOKEN_EXPIRED'
                });
            } else if (error.name === 'JsonWebTokenError') {
                return res.status(401).json({ 
                    error: 'Invalid token',
                    code: 'INVALID_TOKEN'
                });
            } else {
                return res.status(401).json({ 
                    error: 'Authentication failed',
                    code: 'AUTH_FAILED'
                });
            }
        }
    }

    requireRole(allowedRoles) {
        return (req, res, next) => {
            if (!req.user) {
                return res.status(401).json({ error: 'Authentication required' });
            }

            if (!allowedRoles.includes(req.user.role)) {
                logger.warn('Authorization failed - insufficient role', {
                    userId: req.user.userId,
                    currentRole: req.user.role,
                    requiredRoles: allowedRoles,
                    path: req.path
                });
                return res.status(403).json({ error: 'Insufficient permissions' });
            }

            next();
        };
    }
}

// SECURE: Advanced token management with rotation
const jwt = require('jsonwebtoken');
const crypto = require('crypto');
const NodeCache = require('node-cache');

// Token blacklist cache (for logout/rotation)
const tokenBlacklist = new NodeCache({ stdTTL: 60 * 60 * 24 }); // 24 hours

class SecureTokenService {
    constructor() {
        this.validateSecrets();
        this.currentSecretVersion = process.env.JWT_SECRET_VERSION || '1';
        this.secretRotationInterval = 24 * 60 * 60 * 1000; // 24 hours
        
        // Support for secret rotation with versioning
        this.secrets = new Map();
        this.loadSecrets();
        
        // Schedule secret rotation check
        setInterval(() => this.checkSecretRotation(), 60 * 60 * 1000); // Check hourly
    }

    validateSecrets() {
        const requiredSecrets = ['JWT_SECRET', 'JWT_REFRESH_SECRET'];
        const missingSecrets = requiredSecrets.filter(secret => !process.env[secret]);
        
        if (missingSecrets.length > 0) {
            throw new Error(`Missing JWT secrets: ${missingSecrets.join(', ')}`);
        }

        // Validate secret strength
        if (process.env.JWT_SECRET.length < 32) {
            throw new Error('JWT_SECRET must be at least 32 characters long');
        }
    }

    loadSecrets() {
        // Load current secret
        this.secrets.set(this.currentSecretVersion, {
            access: process.env.JWT_SECRET,
            refresh: process.env.JWT_REFRESH_SECRET,
            createdAt: new Date()
        });

        // Load previous secret for rotation support
        if (process.env.JWT_SECRET_PREVIOUS) {
            const previousVersion = (parseInt(this.currentSecretVersion) - 1).toString();
            this.secrets.set(previousVersion, {
                access: process.env.JWT_SECRET_PREVIOUS,
                refresh: process.env.JWT_REFRESH_SECRET_PREVIOUS,
                createdAt: new Date(Date.now() - this.secretRotationInterval)
            });
        }
    }

    generateTokenPair(user, sessionId = null) {
        const tokenId = crypto.randomUUID();
        const currentSecret = this.secrets.get(this.currentSecretVersion);
        
        const accessToken = jwt.sign(
            {
                userId: user.id,
                username: user.username,
                role: user.role,
                tokenType: 'access',
                tokenId: tokenId,
                secretVersion: this.currentSecretVersion,
                sessionId: sessionId
            },
            currentSecret.access,
            {
                expiresIn: '15m',
                issuer: process.env.JWT_ISSUER,
                audience: process.env.JWT_AUDIENCE,
                jwtid: tokenId
            }
        );

        const refreshToken = jwt.sign(
            {
                userId: user.id,
                tokenType: 'refresh',
                tokenId: tokenId,
                secretVersion: this.currentSecretVersion
            },
            currentSecret.refresh,
            {
                expiresIn: '7d',
                issuer: process.env.JWT_ISSUER,
                jwtid: tokenId
            }
        );

        return { accessToken, refreshToken, tokenId };
    }

    verifyToken(token, tokenType = 'access') {
        if (this.isTokenBlacklisted(token)) {
            throw new Error('Token has been revoked');
        }

        // Try to verify with current secret first
        let decoded;
        let secretVersion = this.currentSecretVersion;
        
        try {
            const currentSecret = this.secrets.get(this.currentSecretVersion);
            const secret = tokenType === 'access' ? currentSecret.access : currentSecret.refresh;
            decoded = jwt.verify(token, secret);
        } catch (error) {
            // If verification fails, try previous secret (for rotation period)
            if (error.name === 'JsonWebTokenError' && this.secrets.size > 1) {
                const previousVersion = (parseInt(this.currentSecretVersion) - 1).toString();
                const previousSecret = this.secrets.get(previousVersion);
                
                if (previousSecret) {
                    const secret = tokenType === 'access' ? previousSecret.access : previousSecret.refresh;
                    decoded = jwt.verify(token, secret);
                    secretVersion = previousVersion;
                }
            }
            
            if (!decoded) {
                throw error;
            }
        }

        // Validate token type
        if (decoded.tokenType !== tokenType) {
            throw new Error(`Invalid token type. Expected: ${tokenType}`);
        }

        // Check if token was issued with old secret and needs refresh
        if (secretVersion !== this.currentSecretVersion) {
            decoded._requiresRefresh = true;
        }

        return decoded;
    }

    refreshTokens(refreshToken) {
        const decoded = this.verifyToken(refreshToken, 'refresh');
        
        // Blacklist the old refresh token
        this.blacklistToken(refreshToken);
        
        // Generate new token pair
        const user = { id: decoded.userId }; // Fetch full user data from DB
        return this.generateTokenPair(user);
    }

    blacklistToken(token) {
        try {
            const decoded = jwt.decode(token);
            if (decoded && decoded.exp) {
                const ttl = decoded.exp - Math.floor(Date.now() / 1000);
                if (ttl > 0) {
                    tokenBlacklist.set(token, true, ttl);
                }
            }
        } catch (error) {
            // Token invalid, but blacklist anyway
            tokenBlacklist.set(token, true, 60 * 60 * 24); // 24 hours
        }
    }

    isTokenBlacklisted(token) {
        return tokenBlacklist.has(token);
    }

    checkSecretRotation() {
        const currentSecret = this.secrets.get(this.currentSecretVersion);
        const age = Date.now() - currentSecret.createdAt.getTime();
        
        if (age > this.secretRotationInterval) {
            console.warn('JWT secret rotation required. Current secret age:', age);
            // Implement secret rotation logic here
            // This would typically involve updating environment variables
            // and reloading secrets from a secret management service
        }
    }

    getTokenMetrics() {
        return {
            currentSecretVersion: this.currentSecretVersion,
            secretCount: this.secrets.size,
            blacklistedTokens: tokenBlacklist.keys().length,
            secretAge: Date.now() - this.secrets.get(this.currentSecretVersion).createdAt.getTime()
        };
    }
}