Hi everyone,
I’m writing this post because after reading the documentation and set up my client to connect to the authentication API, I have some questions which i would like to clarify some points in order to improve the security in my app.
The documentation says that there are 2 sections for the authentication API, for the admin panel and the content and here is where i am lost which the differents configuration that strapi has.
For the admin panel, you can set up the API token to make a request to strapi. Currently, I have this configuration
// config/admin.js
module.exports = ({ env }) => ({
auth: {
secret: env("ADMIN_JWT_SECRET", "000000000000000000000"),
},
});
Because i am in the local environment, the ADMIN_JWT_SECRET
variable is public but if i would like to make a request to the admin panel in production i should change the config for something like this, is it correct?
module.exports = ({ env }) => ({
auth: {
secret:
process.env.ADMIN_JWT_SECRET ||
env("ADMIN_JWT_SECRET", "000000000000000000000"),
},
});
And the value of ADMIN_JWT_SECRET
should be generated in the admin panel ( Settings > API Token), right?
After installing strapi, it generated a .env
file which the variables JWT_SECRET
and API_TOKEN_SALT
. Let me know if i am wrong, the API_TOKEN_SALT
variable is used to generate the jwt
token, but i don’t know if for the admin panel or the content. The JWT_SECRET
variable is used to sign the jwt
token (Roles & Permissions - Strapi Developer Docs) , but it is not necessary to change it, right?
On the other hand, it is the authentication API for the content and it can be set up thanks the “user & permission” plugin, which bind the content with roles and permission. I created a user in strapi and i am using the jwt
return by strapi after login in the app to make authentication API requests. Its configuration can be customised Roles & Permissions - Strapi Developer Docs , fe to set the out of date for the token,
I would like you to confirm if what I have commented is correct and if there is something that I have not understood well,