From 77cd6351cd8545df6b4c31c2362de314bc7565f3 Mon Sep 17 00:00:00 2001
From: MallamTY <sosanyatemitayonurudeen@gmail.com>
Date: Thu, 13 Oct 2022 10:34:19 -0700
Subject: [PATCH] Reviewed the ReadMe.md for better implementation
 understanding

---
 README.md | 29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 834777e..c40f1d0 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,9 @@ $ npm install jsonwebtoken
 > If `payload` is not a buffer or a string, it will be coerced into a string using `JSON.stringify`.
 
 `secretOrPrivateKey` is a string, buffer, or object containing either the secret for HMAC algorithms or the PEM
-encoded private key for RSA and ECDSA. In case of a private key with passphrase an object `{ key, passphrase }` can be used (based on [crypto documentation](https://nodejs.org/api/crypto.html#crypto_sign_sign_private_key_output_format)), in this case be sure you pass the `algorithm` option.
+encoded private key for RSA and ECDSA. 
+`secretOrPublicKey` can either be hardcoded or stored in the .env file. For best practice, it should be stored in the .env file 
+In case of a private key with passphrase an object `{ key, passphrase }` can be used (based on [crypto documentation](https://nodejs.org/api/crypto.html#crypto_sign_sign_private_key_output_format)), in this case be sure you pass the `algorithm` option.
 
 `options`:
 
@@ -66,7 +68,7 @@ Synchronous Sign with default (HMAC SHA256)
 
 ```js
 var jwt = require('jsonwebtoken');
-var token = jwt.sign({ foo: 'bar' }, 'shhhhh');
+var token = jwt.sign({ foo: 'bar' }, 'secretOrPrivateKey');
 ```
 
 Synchronous Sign with RSA SHA256
@@ -85,7 +87,7 @@ jwt.sign({ foo: 'bar' }, privateKey, { algorithm: 'RS256' }, function(err, token
 
 Backdate a jwt 30 seconds
 ```js
-var older_token = jwt.sign({ foo: 'bar', iat: Math.floor(Date.now() / 1000) - 30 }, 'shhhhh');
+var older_token = jwt.sign({ foo: 'bar', iat: Math.floor(Date.now() / 1000) - 30 }, 'secretOrPrivateKey');
 ```
 
 #### Token Expiration (exp claim)
@@ -102,7 +104,7 @@ Signing a token with 1 hour of expiration:
 jwt.sign({
   exp: Math.floor(Date.now() / 1000) + (60 * 60),
   data: 'foobar'
-}, 'secret');
+}, 'secretOrPrivateKey');
 ```
 
 Another way to generate a token like this with this library is:
@@ -110,13 +112,13 @@ Another way to generate a token like this with this library is:
 ```javascript
 jwt.sign({
   data: 'foobar'
-}, 'secret', { expiresIn: 60 * 60 });
+}, 'secretOrPrivateKey', { expiresIn: 60 * 60 });
 
 //or even better:
 
 jwt.sign({
   data: 'foobar'
-}, 'secret', { expiresIn: '1h' });
+}, 'secretOrPrivateKey', { expiresIn: '1h' });
 ```
 
 ### jwt.verify(token, secretOrPublicKey, [options, callback])
@@ -131,6 +133,7 @@ jwt.sign({
 
 `secretOrPublicKey` is a string or buffer containing either the secret for HMAC algorithms, or the PEM
 encoded public key for RSA and ECDSA.
+`secretOrPublicKey` can either be hardcoded or stored in the .env file. For best practice, it should be stored in the .env file 
 If `jwt.verify` is called asynchronous, `secretOrPublicKey` can be a function that should fetch the secret or public key. See below for a detailed example
 
 As mentioned in [this comment](https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138), there are other libraries that expect base64 encoded secrets (random bytes encoded using base64), if that is your case you can pass `Buffer.from(secret, 'base64')`, by doing this the secret will be decoded using base64 and the token verification will use the original random bytes.
@@ -155,23 +158,23 @@ As mentioned in [this comment](https://github.com/auth0/node-jsonwebtoken/issues
 
 ```js
 // verify a token symmetric - synchronous
-var decoded = jwt.verify(token, 'shhhhh');
+var decoded = jwt.verify(token, 'secretOrPrivateKey');
 console.log(decoded.foo) // bar
 
 // verify a token symmetric
-jwt.verify(token, 'shhhhh', function(err, decoded) {
+jwt.verify(token, 'secretOrPrivateKey', function(err, decoded) {
   console.log(decoded.foo) // bar
 });
 
 // invalid token - synchronous
 try {
-  var decoded = jwt.verify(token, 'wrong-secret');
+  var decoded = jwt.verify(token, 'wrong-secretOrPrivateKey');
 } catch(err) {
   // err
 }
 
 // invalid token
-jwt.verify(token, 'wrong-secret', function(err, decoded) {
+jwt.verify(token, 'wrong-secretOrPrivateKey', function(err, decoded) {
   // err
   // decoded undefined
 });
@@ -279,7 +282,7 @@ Error object:
 * expiredAt: [ExpDate]
 
 ```js
-jwt.verify(token, 'shhhhh', function(err, decoded) {
+jwt.verify(token, 'secretOrPrivateKey', function(err, decoded) {
   if (err) {
     /*
       err = {
@@ -307,7 +310,7 @@ Error object:
   * 'jwt subject invalid. expected: [OPTIONS SUBJECT]'
 
 ```js
-jwt.verify(token, 'shhhhh', function(err, decoded) {
+jwt.verify(token, 'secretOrPrivateKey', function(err, decoded) {
   if (err) {
     /*
       err = {
@@ -329,7 +332,7 @@ Error object:
 * date: 2018-10-04T16:10:44.000Z
 
 ```js
-jwt.verify(token, 'shhhhh', function(err, decoded) {
+jwt.verify(token, 'secretOrPrivateKey', function(err, decoded) {
   if (err) {
     /*
       err = {