harmonize secret generation + don't generate in production mode

packages/core/admin/server/bootstrap.js

@@ -61,6 +61,7 @@ module.exports = async () => {
   const userService = getService('user');
   const roleService = getService('role');
   const apiTokenService = getService('api-token');
+  const tokenService = getService('token');
 
   await roleService.createRolesIfNoneExist();
   await roleService.resetSuperAdminPermissions();
@@ -73,5 +74,6 @@ module.exports = async () => {
 
   await syncAuthSettings();
 
-  apiTokenService.createSaltIfNotDefined();
+  apiTokenService.checkSaltIsDefined();
+  tokenService.checkSecretIsDefined();
 };

packages/core/admin/server/services/api-token.js

@@ -74,20 +74,13 @@ const create = async attributes => {
 /**
  * @returns {void}
  */
-const createSaltIfNotDefined = () => {
-  if (strapi.config.get('admin.apiToken.salt')) {
-    return;
-  }
-
-  if (process.env.API_TOKEN_SALT) {
+const checkSaltIsDefined = () => {
+  if (!strapi.config.get('admin.apiToken.salt')) {
+    const secretExample = crypto.randomBytes(16).toString('base64');
     throw new Error(
-      `There's something wrong with the configuration of your api-token salt. If you have changed the env variable used in the configuration file, please verify that you have created and set the variable in your .env file.`
+      `Missing admin.apiToken.salt. Please set admin.apiToken.salt in config/admin.js (ex: ${secretExample})`
     );
   }
-
-  const salt = crypto.randomBytes(16).toString('hex');
-  strapi.fs.appendFile(process.env.ENV_PATH || '.env', `API_TOKEN_SALT=${salt}\n`);
-  strapi.config.set('admin.apiToken.salt', salt);
 };
 
 /**
@@ -162,7 +155,7 @@ const getBy = async (whereParams = {}) => {
 module.exports = {
   create,
   exists,
-  createSaltIfNotDefined,
+  checkSaltIsDefined,
   hash,
   list,
   revoke,

packages/core/admin/server/services/token.js

@@ -49,9 +49,22 @@ const decodeJwtToken = token => {
   }
 };
 
+/**
+ * @returns {void}
+ */
+const checkSecretIsDefined = () => {
+  if (strapi.config.serveAdminPanel && !strapi.config.get('admin.auth.secret')) {
+    const secretExample = crypto.randomBytes(16).toString('base64');
+    throw new Error(
+      `Missing admin.auth.secret. Please set admin.auth.secret in config/admin.js (ex: ${secretExample})`
+    );
+  }
+};
+
 module.exports = {
   createToken,
   createJwtToken,
   getTokenOptions,
   decodeJwtToken,
+  checkSecretIsDefined,
 };

packages/generators/app/lib/create-project.js

@@ -16,7 +16,6 @@ const mergeTemplate = require('./utils/merge-template.js');
 
 const packageJSON = require('./resources/json/package.json');
 const createDatabaseConfig = require('./resources/templates/database.js');
-const createAdminConfig = require('./resources/templates/admin-config.js');
 const createEnvFile = require('./resources/templates/env.js');
 
 module.exports = async function createProject(scope, { client, connection, dependencies }) {
@@ -72,7 +71,6 @@ module.exports = async function createProject(scope, { client, connection, depen
     );
 
     // create config/server.js
-    await fse.writeFile(join(rootPath, `config/admin.js`), createAdminConfig());
     await trackUsage({ event: 'didCopyConfigurationFiles', scope });
 
     // merge template files if a template is specified

packages/generators/app/lib/resources/files/config/admin.js

@@ -0,0 +1,8 @@
+module.exports = ({ env }) => ({
+  auth: {
+    secret: env('ADMIN_JWT_SECRET'),
+  },
+  apiToken: {
+    salt: env('API_TOKEN_SALT'),
+  },
+});

packages/generators/app/lib/resources/templates/admin-config.js

@@ -1,16 +0,0 @@
-'use strict';
-
-const crypto = require('crypto');
-
-const fs = require('fs');
-const path = require('path');
-const _ = require('lodash');
-
-module.exports = () => {
-  const tmpl = fs.readFileSync(path.join(__dirname, `admin-config.template`));
-  const compile = _.template(tmpl);
-
-  return compile({
-    adminJwtToken: crypto.randomBytes(16).toString('hex'),
-  });
-};

packages/generators/app/lib/resources/templates/admin-config.template

@@ -1,5 +0,0 @@
-module.exports = ({ env }) => ({
-  auth: {
-    secret: env('ADMIN_JWT_SECRET', '<%= adminJwtToken %>'),
-  },
-});

packages/generators/app/lib/resources/templates/env.template

@@ -1,3 +1,5 @@
 HOST=0.0.0.0
 PORT=1337
 APP_KEYS=<%= appKeys %>
+API_TOKEN_SALT=<%= apiTokenSalt %>
+ADMIN_JWT_SECRET= <%= adminJwtToken %>

packages/plugins/users-permissions/package.json

@@ -43,8 +43,7 @@
     "react-router-dom": "5.2.0",
     "redux-saga": "^0.16.0",
     "request": "^2.83.0",
-    "url-join": "4.0.1",
-    "uuid": "^3.1.0"
+    "url-join": "4.0.1"
   },
   "devDependencies": {
     "koa": "^2.13.1"

packages/plugins/users-permissions/server/bootstrap/index.js

@@ -7,9 +7,9 @@
  * This gives you an opportunity to set up your data model,
  * run jobs, or perform some special logic.
  */
+const crypto = require('crypto');
 const _ = require('lodash');
 const urljoin = require('url-join');
-const uuid = require('uuid/v4');
 const { getService } = require('../utils');
 const getGrantConfig = require('./grant-config');
 
@@ -29,7 +29,14 @@ module.exports = async ({ strapi }) => {
   await getService('users-permissions').initialize();
 
   if (!strapi.config.get('plugin.users-permissions.jwtSecret')) {
-    const jwtSecret = uuid();
+    const jwtSecret = crypto.randomBytes(16).toString('base64');
+
+    if (process.env.NODE_ENV === 'production') {
+      throw new Error(
+        `[Users & Permissions] Missing jwtSecret. Please set jwtSecret in your config or set environment variable JWT_SECRET (ex: ${jwtSecret}).`
+      );
+    }
+
     strapi.config.set('plugin.users-permissions.jwtSecret', jwtSecret);
 
     if (!process.env.JWT_SECRET) {