feat: add jwt refresh interval variable (#1952)

Author: kmendell

.env.example

@@ -27,6 +27,8 @@ PGID=1000
 # IMPORTANT: Generate unique values for production!
 ENCRYPTION_KEY=your-32-char-encryption-key-here
 JWT_SECRET=your-super-secret-jwt-key-change-this
+# JWT refresh token expiry duration (default: 168h = 7 days). Accepts Go duration format (e.g., 72h, 720h, 8760h).
+# JWT_REFRESH_EXPIRY=168h
 
 # Database Configuration
 DATABASE_URL=file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate

backend/internal/config/config.go

@@ -27,16 +27,17 @@ const (
 // Fields with `options:"file"` support Docker secrets via the _FILE suffix.
 // Available options: file, toLower, trimTrailingSlash
 type Config struct {
-	AppUrl        string         `env:"APP_URL" default:"http://localhost:3552"`
-	DatabaseURL   string         `env:"DATABASE_URL" default:"file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate" options:"file"`
-	Port          string         `env:"PORT" default:"3552"`
-	Listen        string         `env:"LISTEN" default:""`
-	TLSEnabled    bool           `env:"TLS_ENABLED" default:"false"`
-	TLSCertFile   string         `env:"TLS_CERT_FILE" default:""`
-	TLSKeyFile    string         `env:"TLS_KEY_FILE" default:""`
-	Environment   AppEnvironment `env:"ENVIRONMENT" default:"production"`
-	JWTSecret     string         `env:"JWT_SECRET" default:"default-jwt-secret-change-me" options:"file"` //nolint:gosec // configuration field name is part of stable config API
-	EncryptionKey string         `env:"ENCRYPTION_KEY" default:"arcane-dev-key-32-characters!!!" options:"file"`
+	AppUrl           string         `env:"APP_URL" default:"http://localhost:3552"`
+	DatabaseURL      string         `env:"DATABASE_URL" default:"file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate" options:"file"`
+	Port             string         `env:"PORT" default:"3552"`
+	Listen           string         `env:"LISTEN" default:""`
+	TLSEnabled       bool           `env:"TLS_ENABLED" default:"false"`
+	TLSCertFile      string         `env:"TLS_CERT_FILE" default:""`
+	TLSKeyFile       string         `env:"TLS_KEY_FILE" default:""`
+	Environment      AppEnvironment `env:"ENVIRONMENT" default:"production"`
+	JWTSecret        string         `env:"JWT_SECRET" default:"default-jwt-secret-change-me" options:"file"` //nolint:gosec // configuration field name is part of stable config API
+	JWTRefreshExpiry time.Duration  `env:"JWT_REFRESH_EXPIRY" default:"168h"`
+	EncryptionKey    string         `env:"ENCRYPTION_KEY" default:"arcane-dev-key-32-characters!!!" options:"file"`
 
 	OidcEnabled                bool   `env:"OIDC_ENABLED" default:"false"`
 	OidcClientID               string `env:"OIDC_CLIENT_ID" default:"" options:"file"`
@@ -123,7 +124,7 @@ func loadFromEnv(cfg *Config) {
 			envValue = defaultValue
 		}
 
-		setFieldValue(field, envValue)
+		setFieldValueInternal(field, fieldType, envValue)
 	})
 }
 
@@ -241,8 +242,8 @@ func resolveFileBasedEnvVariable(field reflect.Value, fieldType reflect.StructFi
 	}
 }
 
-// setFieldValue sets a reflect.Value from a string based on the field's type.
-func setFieldValue(field reflect.Value, value string) {
+// setFieldValueInternal sets a reflect.Value from a string based on the field's type.
+func setFieldValueInternal(field reflect.Value, fieldType reflect.StructField, value string) {
 	if !field.CanSet() {
 		return
 	}
@@ -274,6 +275,37 @@ func setFieldValue(field reflect.Value, value string) {
 		return
 	}
 
+	if field.Type() == reflect.TypeFor[time.Duration]() {
+		applyDurationDefault := func(reason string) {
+			envTag := fieldType.Tag.Get("env")
+			defaultValue := fieldType.Tag.Get("default")
+
+			if fallback, fallbackErr := time.ParseDuration(defaultValue); fallbackErr == nil {
+				slog.Warn(reason+", using tagged default",
+					"field", envTag,
+					"value", value,
+					"default", defaultValue)
+				field.SetInt(int64(fallback))
+			} else {
+				slog.Warn(reason+", and invalid tagged default",
+					"field", envTag,
+					"value", value,
+					"default", defaultValue)
+			}
+		}
+
+		if d, err := time.ParseDuration(value); err == nil {
+			if d > 0 {
+				field.SetInt(int64(d))
+			} else {
+				applyDurationDefault("Non-positive duration for config field")
+			}
+		} else {
+			applyDurationDefault("Invalid duration for config field")
+		}
+		return
+	}
+
 	// Handle custom types based on underlying kind
 	if field.Type().ConvertibleTo(reflect.TypeFor[string]()) {
 		// String-based types like AppEnvironment

backend/internal/config/config_test.go

@@ -3,7 +3,9 @@ package config
 import (
 	"os"
 	"path/filepath"
+	"reflect"
 	"testing"
+	"time"
 
 	"github.com/getarcaneapp/arcane/backend/internal/common"
 	"github.com/stretchr/testify/assert"
@@ -353,6 +355,69 @@ func TestConfig_GetManagerBaseURL(t *testing.T) {
 	})
 }
 
+func TestConfig_JWTRefreshExpiry(t *testing.T) {
+	origJWTRefreshExpiry := os.Getenv("JWT_REFRESH_EXPIRY")
+	defer restoreEnv("JWT_REFRESH_EXPIRY", origJWTRefreshExpiry)
+
+	t.Run("defaults to 7 days when not set", func(t *testing.T) {
+		unsetEnv(t, "JWT_REFRESH_EXPIRY")
+
+		cfg := Load()
+		assert.Equal(t, 7*24*time.Hour, cfg.JWTRefreshExpiry)
+	})
+
+	t.Run("parses custom duration from env var", func(t *testing.T) {
+		setEnv(t, "JWT_REFRESH_EXPIRY", "48h")
+
+		cfg := Load()
+		assert.Equal(t, 48*time.Hour, cfg.JWTRefreshExpiry)
+	})
+
+	t.Run("supports compound duration format", func(t *testing.T) {
+		setEnv(t, "JWT_REFRESH_EXPIRY", "24h30m")
+
+		cfg := Load()
+		assert.Equal(t, 24*time.Hour+30*time.Minute, cfg.JWTRefreshExpiry)
+	})
+
+	t.Run("falls back to default on invalid duration", func(t *testing.T) {
+		setEnv(t, "JWT_REFRESH_EXPIRY", "notaduration")
+
+		cfg := Load()
+		assert.Equal(t, 168*time.Hour, cfg.JWTRefreshExpiry)
+	})
+
+	t.Run("falls back to default on zero duration", func(t *testing.T) {
+		setEnv(t, "JWT_REFRESH_EXPIRY", "0s")
+
+		cfg := Load()
+		assert.Equal(t, 168*time.Hour, cfg.JWTRefreshExpiry)
+	})
+
+	t.Run("falls back to default on negative duration", func(t *testing.T) {
+		setEnv(t, "JWT_REFRESH_EXPIRY", "-1h")
+
+		cfg := Load()
+		assert.Equal(t, 168*time.Hour, cfg.JWTRefreshExpiry)
+	})
+}
+
+func TestSetFieldValueInternal_DurationUsesFieldTagDefault(t *testing.T) {
+	type durationConfig struct {
+		SessionTimeout time.Duration `env:"SESSION_TIMEOUT" default:"2h"`
+	}
+
+	cfg := &durationConfig{}
+	v := reflect.ValueOf(cfg).Elem()
+	field := v.FieldByName("SessionTimeout")
+	fieldType, ok := v.Type().FieldByName("SessionTimeout")
+	require.True(t, ok)
+
+	setFieldValueInternal(field, fieldType, "invalid-duration")
+
+	assert.Equal(t, 2*time.Hour, cfg.SessionTimeout)
+}
+
 func restoreEnv(key, value string) {
 	if value == "" {
 		_ = os.Unsetenv(key)

backend/internal/services/auth_service.go

@@ -64,7 +64,7 @@ func NewAuthService(userService *UserService, settingsService *SettingsService,
 		settingsService: settingsService,
 		eventService:    eventService,
 		jwtSecret:       crypto.CheckOrGenerateJwtSecret(jwtSecret),
-		refreshExpiry:   7 * 24 * time.Hour,
+		refreshExpiry:   cfg.JWTRefreshExpiry,
 		config:          cfg,
 	}
 }