:recycle: use env var for token verification

backend/lib/services/user.js

      * @returns {Token}
      */
     validateToken(token) {
-        const key = this.server.registrations['main-app-plugin'].options.jwtKey
+        const key = process.env.APP_SECRET
         try {
             return JWT.verify(token, key)
         } catch (err) {
     }
     /**
      * Uses this.validateToken() to verify hashedSessionToken's
-     * existence, expiry, and also valdiates accessToken
+     * existence, expiry, and also validates accessToken
      * @param {HashedSessionToken} hashedSessionToken
      * @returns {PayloadFromActiveSessions}
      */
             throw new Error('No session token in userSession')
         }
         const sessionTokenIsValid = this.validateToken(sessionToken)
-        return {
-            ...sessionTokenIsValid.payload,
-            sessionToken,
-            email: this.activeSessions[hashedSessionToken].email,
-        }
+        return sessionTokenIsValid
+            ? {
+                  sessionToken,
+                  email: this.activeSessions[hashedSessionToken].email,
+              }
+            : { ...sessionTokenIsValid.payload }
     }
     removeSession(hashedSessionToken) {
         const userSession = this.activeSessions[hashedSessionToken]