Use a better algorithm than UTF-8 to derive keys from string secrets.

[madmox]

Using UTF8 "string to bytes" to derive the key used for signing is not secure. Even with long secrets, this prevents the derived key to be properly randomized when converted to a byte array for signing. Any binary value is not necessarily a valid UTF-8 character sequence, and given most secrets are ASCII passphrases, the possible value range is even narrower.

A better approach would be to use PBKDF2 as a key derivation mechanism, but this would introduce a breaking change in the library.

Edit:
Right now, the most secure way to use a truly random key is to generate a binary key using a good random number generator, convert it to base64, and use the following code to generate the JWT:

function getSignedJwt(payload) {
    const keyAsBase64String = getKeyFromConfig();
    const key = Buffer.from(keyAsBase64String, "base64");
    return jws.sign({
        header: { alg: "HS256" },
        payload: payload,
        secret: key
    });
}