feat(auth): make access-token TTL configurable, default 4h

Replace the hardcoded 1440-minute (24h) JWT lifetime with DECNET_JWT_EXP_MINUTES (validated positive int, default 240 = 4h). Shrinks the passive window of a stolen token; active revocation is unchanged (immediate->=<10s).
2026-05-30 23:05:05 -04:00
parent 9fc489258b
commit ae16c4437b
4 changed files with 82 additions and 2 deletions
--- a/decnet/env.py
+++ b/decnet/env.py
@@ -28,6 +28,17 @@ def _port(name: str, default: int) -> int:
    return value


+def _pos_int(name: str, default: int) -> int:
+    raw = os.environ.get(name, str(default))
+    try:
+        value = int(raw)
+    except ValueError:
+        raise ValueError(f"Environment variable '{name}' must be an integer, got '{raw}'.")
+    if value < 1:
+        raise ValueError(f"Environment variable '{name}' must be a positive integer, got {value}.")
+    return value
+
+
 def _require_env(name: str) -> str:
    """Return the env var value or raise at startup if it is unset or a known-bad default."""
    _KNOWN_BAD = {"fallback-secret-key-change-me", "admin", "secret", "password", "changeme"}
@@ -138,6 +149,11 @@ DECNET_BATCH_MAX_WAIT_MS: int = int(os.environ.get("DECNET_BATCH_MAX_WAIT_MS", "
 DECNET_WEB_HOST: str = os.environ.get("DECNET_WEB_HOST", "127.0.0.1")
 DECNET_WEB_PORT: int = _port("DECNET_WEB_PORT", 8080)
 DECNET_ADMIN_USER: str = os.environ.get("DECNET_ADMIN_USER", "admin")
+# Access-token lifetime in minutes. Default 4h — short enough to bound the
+# passive window of a stolen token (active revocation is immediate→≤10s), long
+# enough that the operator is not re-authenticating constantly. Shortening this
+# meaningfully (e.g. 15m) requires a refresh-token mechanism; deferred to v1.
+DECNET_JWT_EXP_MINUTES: int = _pos_int("DECNET_JWT_EXP_MINUTES", 240)
 # DECNET_ADMIN_PASSWORD is resolved lazily via __getattr__ (like DECNET_JWT_SECRET)
 # so it is validated only on the master processes that seed the admin user, and
 # never silently defaults to "admin". See _require_env + __getattr__ below.
--- a/decnet/web/auth.py
+++ b/decnet/web/auth.py
@@ -5,11 +5,11 @@ from typing import Optional, Any
 import jwt
 import bcrypt

-from decnet.env import DECNET_JWT_SECRET
+from decnet.env import DECNET_JWT_SECRET, DECNET_JWT_EXP_MINUTES

 SECRET_KEY: str = DECNET_JWT_SECRET
 ALGORITHM: str = "HS256"
-ACCESS_TOKEN_EXPIRE_MINUTES: int = 1440
+ACCESS_TOKEN_EXPIRE_MINUTES: int = DECNET_JWT_EXP_MINUTES


 def verify_password(plain_password: str, hashed_password: str) -> bool: