arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): JWT TTL hot-reload + fix hardcoded 24h bug (ADR-0023 Phase 2) (#44)
Some checks failed
CI/CD Pipeline / Build Docker Cache (push) Successful in 23s
Details
CI/CD Pipeline / CI Pipeline (push) Failing after 5m23s
Details
CI/CD Pipeline / Trigger Docker Push (push) Has been skipped
Details

Browse Source 
Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
This commit was merged in pull request #44.
This commit is contained in:
Gabriel Radureau
2026-05-05 09:09:22 +02:00
committed by arcodange
parent 4afc15b82e
commit 3c73ca39d6
5 changed files with 73 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/config/config.go
View File

@@ -609,11 +609,15 @@ func (c *Config) setupLogOutput() {
// WatchAndApply starts watching the config file for changes and applies the
// hot-reloadable subset on every change (ADR-0023 selective hot-reload).
//
// Phase 1 (this PR) reloads:
// - logging.level — re-applies via SetupLogging on every change.
// Phases shipped:
// - Phase 1: logging.level — re-applied via SetupLogging on every change.
// - Phase 2: auth.jwt.ttl — picked up automatically because the userService
// reads it via JWTConfig.GetTTL (a method value capturing this *Config).
// The reloaded TTL is used on the NEXT token generation; tokens issued
// before the change keep their original expiry.
//
// The other fields listed in ADR-0023 (api.v2_enabled, telemetry sampler,
// auth.jwt.ttl) remain restart-only until their handlers land in a follow-up.
// The other fields listed in ADR-0023 (api.v2_enabled, telemetry sampler)
// remain restart-only until their handlers land in subsequent phases.
//
// Stops when ctx is cancelled. Safe to call once at server startup.
// If the config file is absent (ConfigFileNotFoundError at load time), this
@@ -641,7 +645,10 @@ func (c *Config) WatchAndApply(ctx context.Context) {
// Apply hot-reloadable fields. Order matters: logging first so the
// rest of the reload is logged at the right level.
c.SetupLogging()
log.Info().Str("logging_level", c.GetLogLevel()).Msg("Hot-reload applied (logging.level)")
log.Info().
Str("logging_level", c.GetLogLevel()).
Dur("jwt_ttl", c.GetJWTTTL()).
Msg("Hot-reload applied (logging.level + auth.jwt.ttl)")
})
c.viper.WatchConfig()

33
pkg/config/config_hot_reload_test.go
View File

@@ -21,6 +21,7 @@ func loadFromFile(t *testing.T, path string) *Config {
v.SetConfigFile(path)
v.SetConfigType("yaml")
v.SetDefault("logging.level", "info")
v.SetDefault("auth.jwt.ttl", time.Hour)
require.NoError(t, v.ReadInConfig())
c := &Config{viper: v}
@@ -81,3 +82,35 @@ func TestWatchAndApply_NilViperNoOp(t *testing.T) {
defer cancel()
c.WatchAndApply(ctx)
}
// TestWatchAndApply_JWTTTL proves Phase 2 of ADR-0023: the JWT TTL is
// re-read on every token generation via the GetJWTTTL method value, so
// after a config-file change the new TTL takes effect without restart.
func TestWatchAndApply_JWTTTL(t *testing.T) {
dir := t.TempDir()
path := filepath.Join(dir, "config.yaml")
require.NoError(t, os.WriteFile(path, []byte("auth:\n jwt:\n ttl: 1h\n"), 0644))
c := loadFromFile(t, path)
assert.Equal(t, time.Hour, c.GetJWTTTL())
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
c.WatchAndApply(ctx)
require.NoError(t, os.WriteFile(path, []byte("auth:\n jwt:\n ttl: 30m\n"), 0644))
deadline := time.Now().Add(2 * time.Second)
for time.Now().Before(deadline) {
c.reloadMu.RLock()
ttl := c.GetJWTTTL()
c.reloadMu.RUnlock()
if ttl == 30*time.Minute {
return
}
time.Sleep(20 * time.Millisecond)
}
c.reloadMu.RLock()
defer c.reloadMu.RUnlock()
t.Fatalf("auth.jwt.ttl did not hot-reload to 30m: still %s", c.GetJWTTTL())
}