feat(auth): make access-token TTL configurable, default 4h

Replace the hardcoded 1440-minute (24h) JWT lifetime with DECNET_JWT_EXP_MINUTES (validated positive int, default 240 = 4h). Shrinks the passive window of a stolen token; active revocation is unchanged (immediate->=<10s).
2026-05-30 23:05:05 -04:00
parent 9fc489258b
commit ae16c4437b
4 changed files with 82 additions and 2 deletions
--- a/env.config.example
+++ b/env.config.example
@@ -40,6 +40,11 @@ DECNET_API_PORT=8000
 # is true. Known-bad values (admin, secret, password, changeme,
 # fallback-secret-key-change-me) are rejected at startup.
 DECNET_JWT_SECRET=
+# Access-token lifetime in minutes (positive integer). Default 240 (4h).
+# Bounds how long a stolen token stays valid passively; active revocation
+# (logout, password/role change) is immediate→≤10s regardless. Going much
+# lower (e.g. 15) needs a refresh-token flow — not yet implemented.
+DECNET_JWT_EXP_MINUTES=240
 # File the ingester tails for honeypot events.
 DECNET_INGEST_LOG_FILE=/var/log/decnet/decnet.log