feat: add jwt refresh interval variable

kmendell · kmendell · commit da12762fe400 · 2026-03-04T19:07:59.000-06:00
diff --git a/.env.example b/.env.example
@@ -27,6 +27,8 @@ PGID=1000
 # IMPORTANT: Generate unique values for production!
 ENCRYPTION_KEY=your-32-char-encryption-key-here
 JWT_SECRET=your-super-secret-jwt-key-change-this
+# JWT refresh token expiry duration (default: 168h = 7 days). Accepts Go duration format (e.g., 72h, 720h, 8760h).
+# JWT_REFRESH_EXPIRY=168h
 
 # Database Configuration
 DATABASE_URL=file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate
diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
@@ -27,16 +27,17 @@ const (
 // Fields with `options:"file"` support Docker secrets via the _FILE suffix.
 // Available options: file, toLower, trimTrailingSlash
 type Config struct {
-	AppUrl        string         `env:"APP_URL" default:"http://localhost:3552"`
-	DatabaseURL   string         `env:"DATABASE_URL" default:"file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate" options:"file"`
-	Port          string         `env:"PORT" default:"3552"`
-	Listen        string         `env:"LISTEN" default:""`
-	TLSEnabled    bool           `env:"TLS_ENABLED" default:"false"`
-	TLSCertFile   string         `env:"TLS_CERT_FILE" default:""`
-	TLSKeyFile    string         `env:"TLS_KEY_FILE" default:""`
-	Environment   AppEnvironment `env:"ENVIRONMENT" default:"production"`
-	JWTSecret     string         `env:"JWT_SECRET" default:"default-jwt-secret-change-me" options:"file"` //nolint:gosec // configuration field name is part of stable config API
-	EncryptionKey string         `env:"ENCRYPTION_KEY" default:"arcane-dev-key-32-characters!!!" options:"file"`
+	AppUrl           string         `env:"APP_URL" default:"http://localhost:3552"`
+	DatabaseURL      string         `env:"DATABASE_URL" default:"file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate" options:"file"`
+	Port             string         `env:"PORT" default:"3552"`
+	Listen           string         `env:"LISTEN" default:""`
+	TLSEnabled       bool           `env:"TLS_ENABLED" default:"false"`
+	TLSCertFile      string         `env:"TLS_CERT_FILE" default:""`
+	TLSKeyFile       string         `env:"TLS_KEY_FILE" default:""`
+	Environment      AppEnvironment `env:"ENVIRONMENT" default:"production"`
+	JWTSecret        string         `env:"JWT_SECRET" default:"default-jwt-secret-change-me" options:"file"` //nolint:gosec // configuration field name is part of stable config API
+	JWTRefreshExpiry time.Duration  `env:"JWT_REFRESH_EXPIRY" default:"168h"`
+	EncryptionKey    string         `env:"ENCRYPTION_KEY" default:"arcane-dev-key-32-characters!!!" options:"file"`
 
 	OidcEnabled                bool   `env:"OIDC_ENABLED" default:"false"`
 	OidcClientID               string `env:"OIDC_CLIENT_ID" default:"" options:"file"`
@@ -274,6 +275,13 @@ func setFieldValue(field reflect.Value, value string) {
 		return
 	}
 
+	if field.Type() == reflect.TypeFor[time.Duration]() {
+		if d, err := time.ParseDuration(value); err == nil {
+			field.SetInt(int64(d))
+		}
+		return
+	}
+
 	// Handle custom types based on underlying kind
 	if field.Type().ConvertibleTo(reflect.TypeFor[string]()) {
 		// String-based types like AppEnvironment
diff --git a/backend/internal/config/config_test.go b/backend/internal/config/config_test.go
@@ -4,6 +4,7 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
 
 	"github.com/getarcaneapp/arcane/backend/internal/common"
 	"github.com/stretchr/testify/assert"
@@ -353,6 +354,32 @@ func TestConfig_GetManagerBaseURL(t *testing.T) {
 	})
 }
 
+func TestConfig_JWTRefreshExpiry(t *testing.T) {
+	origJWTRefreshExpiry := os.Getenv("JWT_REFRESH_EXPIRY")
+	defer restoreEnv("JWT_REFRESH_EXPIRY", origJWTRefreshExpiry)
+
+	t.Run("defaults to 7 days when not set", func(t *testing.T) {
+		unsetEnv(t, "JWT_REFRESH_EXPIRY")
+
+		cfg := Load()
+		assert.Equal(t, 7*24*time.Hour, cfg.JWTRefreshExpiry)
+	})
+
+	t.Run("parses custom duration from env var", func(t *testing.T) {
+		setEnv(t, "JWT_REFRESH_EXPIRY", "48h")
+
+		cfg := Load()
+		assert.Equal(t, 48*time.Hour, cfg.JWTRefreshExpiry)
+	})
+
+	t.Run("supports compound duration format", func(t *testing.T) {
+		setEnv(t, "JWT_REFRESH_EXPIRY", "24h30m")
+
+		cfg := Load()
+		assert.Equal(t, 24*time.Hour+30*time.Minute, cfg.JWTRefreshExpiry)
+	})
+}
+
 func restoreEnv(key, value string) {
 	if value == "" {
 		_ = os.Unsetenv(key)
diff --git a/backend/internal/services/auth_service.go b/backend/internal/services/auth_service.go
@@ -64,7 +64,7 @@ func NewAuthService(userService *UserService, settingsService *SettingsService,
 		settingsService: settingsService,
 		eventService:    eventService,
 		jwtSecret:       crypto.CheckOrGenerateJwtSecret(jwtSecret),
-		refreshExpiry:   7 * 24 * time.Hour,
+		refreshExpiry:   cfg.JWTRefreshExpiry,
 		config:          cfg,
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ func NewAuthService(userService UserService, settingsService SettingsService,`
`64`	`64`	`settingsService: settingsService,`
`65`	`65`	`eventService: eventService,`
`66`	`66`	`jwtSecret: crypto.CheckOrGenerateJwtSecret(jwtSecret),`
`67`		`- refreshExpiry: 7 * 24 * time.Hour,`
	`67`	`+ refreshExpiry: cfg.JWTRefreshExpiry,`
`68`	`68`	`config: cfg,`
`69`	`69`	`}`
`70`	`70`	`}`