✨ feat(auth): JWT TTL hot-reload + fix hardcoded 24h bug (ADR-0023 Phase 2) (#44)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com> Co-committed-by: Gabriel Radureau <arcodange@gmail.com>
2026-05-05 09:09:22 +02:00
parent 4afc15b82e
commit 3c73ca39d6
5 changed files with 73 additions and 10 deletions
--- a/pkg/user/auth_service.go
+++ b/pkg/user/auth_service.go
@@ -11,13 +11,30 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )

-// JWTConfig holds JWT configuration
+// JWTConfig holds JWT configuration.
+//
+// GetTTL, when non-nil, is called on every token generation to read the
+// current TTL — this enables ADR-0023 Phase 2 hot-reload of `auth.jwt.ttl`.
+// If nil, ExpirationTime is used as a static fallback.
 type JWTConfig struct {
 	Secret         string
 	ExpirationTime time.Duration
+	GetTTL         func() time.Duration
 	Issuer         string
 }

+// effectiveTTL returns the live TTL: GetTTL() when wired, else
+// ExpirationTime as a static fallback (used by tests that don't go
+// through the server-level wiring).
+func (c JWTConfig) effectiveTTL() time.Duration {
+	if c.GetTTL != nil {
+		if ttl := c.GetTTL(); ttl > 0 {
+			return ttl
+		}
+	}
+	return c.ExpirationTime
+}
+
 // userServiceImpl implements the unified UserService interface
 type userServiceImpl struct {
 	repo           UserRepository
@@ -69,7 +86,7 @@ func (s *userServiceImpl) GenerateJWT(ctx context.Context, user *User) (string,
 		"sub":   user.ID,
 		"name":  user.Username,
 		"admin": user.IsAdmin,
-		"exp":   time.Now().Add(s.jwtConfig.ExpirationTime).Unix(),
+		"exp":   time.Now().Add(s.jwtConfig.effectiveTTL()).Unix(),
 		"iat":   time.Now().Unix(),
 		"iss":   s.jwtConfig.Issuer,
 	}