My NodeJS / Express web app requires a Payment gateway that uses an access token that expires every 24hrs. I'm able to successfully create the token, but I need to store it somewhere on the server so that users can submit payments within the 24hr period.
All the articles / questions I've found are for how to secure API endpoints. That's not what I'm after. I'm looking for the best practice for storing 3rd party API access tokens that the application uses on the server to communicate with a 3rd party service.
Usually I would dump application settings (like DB user / password / host) in an ENV variable or config file (https://www.npmjs.com/package/config) that I define when starting the application, but this access token expires every 24hrs and I've been working on the assumption (for all these years) that these values shouldn't be modified once you start running the application.
How should I store sensitive config data that only the server needs to access in a secure way while also being able to update the data when needed?
If you can obtain a new access token whenever you need to, then you can just store the token in your server's memory. If the server restarts, then you just obtain a new token whenever the server restarts and store it in a module level Javascript variable. This will be secure to your server process. You can make whatever internal API you want to that module to get the token for other modules in your server to use. That same module can handle getting a new token whenever the current one expires.
If you have to store the token in a way that persists across a server restart, then you would probably store it in the file system in a file, the same way you might store an https credential. Your server should have some part of the file system that is considered secure to your server account. Then, when your server restarts, it can read it from that file. You will probably also need to store the expiration of that token so you know when it will expire or whether it has already expired.