feat(auth): extend refresh TTL and keep session on transient errors

Bumps refresh token lifetime to 720h with env overrides, and stops
clearing the local session for non-401 refresh failures so users aren't
logged out by transient network blips. Adds a 60s retry timer when a
refresh fails for non-auth reasons.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-25 18:09:01 +08:00
parent 7e78b031d7
commit d1f2a14477
9 changed files with 115 additions and 12 deletions
@@ -166,6 +166,33 @@ scheduler:
}
}
func TestLoadPrefersEnvJWTSettings(t *testing.T) {
t.Setenv("JWT_SECRET", "env-jwt-secret")
t.Setenv("JWT_ACCESS_TTL", "20m")
t.Setenv("JWT_REFRESH_TTL", "720h")
configPath := writeTestConfig(t, `
jwt:
secret: config-jwt-secret
access_ttl: 15m
refresh_ttl: 168h
`)
cfg, err := Load(configPath)
if err != nil {
t.Fatalf("Load() error = %v", err)
}
if cfg.JWT.Secret != "env-jwt-secret" {
t.Fatalf("expected env jwt secret, got %q", cfg.JWT.Secret)
}
if cfg.JWT.AccessTTL != 20*time.Minute {
t.Fatalf("expected env jwt access ttl 20m, got %s", cfg.JWT.AccessTTL)
}
if cfg.JWT.RefreshTTL != 720*time.Hour {
t.Fatalf("expected env jwt refresh ttl 720h, got %s", cfg.JWT.RefreshTTL)
}
}
func TestLoadAppliesMembershipDefaults(t *testing.T) {
configPath := writeTestConfig(t, `
membership: {}