✨ feat(auth): JWT TTL hot-reload + fix hardcoded 24h bug (ADR-0023 Phase 2) (#44)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

pkg/config/config_hot_reload_test.go

@@ -21,6 +21,7 @@ func loadFromFile(t *testing.T, path string) *Config {
 	v.SetConfigFile(path)
 	v.SetConfigType("yaml")
 	v.SetDefault("logging.level", "info")
+	v.SetDefault("auth.jwt.ttl", time.Hour)
 	require.NoError(t, v.ReadInConfig())
 
 	c := &Config{viper: v}
@@ -81,3 +82,35 @@ func TestWatchAndApply_NilViperNoOp(t *testing.T) {
 	defer cancel()
 	c.WatchAndApply(ctx)
 }
+
+// TestWatchAndApply_JWTTTL proves Phase 2 of ADR-0023: the JWT TTL is
+// re-read on every token generation via the GetJWTTTL method value, so
+// after a config-file change the new TTL takes effect without restart.
+func TestWatchAndApply_JWTTTL(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "config.yaml")
+	require.NoError(t, os.WriteFile(path, []byte("auth:\n  jwt:\n    ttl: 1h\n"), 0644))
+
+	c := loadFromFile(t, path)
+	assert.Equal(t, time.Hour, c.GetJWTTTL())
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	c.WatchAndApply(ctx)
+
+	require.NoError(t, os.WriteFile(path, []byte("auth:\n  jwt:\n    ttl: 30m\n"), 0644))
+
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		c.reloadMu.RLock()
+		ttl := c.GetJWTTTL()
+		c.reloadMu.RUnlock()
+		if ttl == 30*time.Minute {
+			return
+		}
+		time.Sleep(20 * time.Millisecond)
+	}
+	c.reloadMu.RLock()
+	defer c.reloadMu.RUnlock()
+	t.Fatalf("auth.jwt.ttl did not hot-reload to 30m: still %s", c.GetJWTTTL())
+}