security: reduce access token expiry to 5 minutes

- Changed default AccessTokenTTL from 15 minutes to 5 minutes in jwt_service.go - Updated test mock in mocks_test.go to match new default - All references to AccessTokenTTL automatically use new value - Tests pass successfully - No breaking changes - frontend already handles token refresh - Action 5.1.1.4 complete
2026-01-15 20:15:45 +01:00 · 2026-01-15 20:15:45 +01:00 · bd47e7030a
commit bd47e7030a
parent 22737c4be0
3 changed files with 13 additions and 7 deletions
--- a/EXHAUSTIVE_TODO_LIST.md
+++ b/EXHAUSTIVE_TODO_LIST.md
@ -1619,12 +1619,17 @@ Critical path dependencies:
  - **Rollback**: Restore header logic

 **Alternative**: Short-lived tokens (5 min) + frequent refresh
- [ ] **Action 5.1.1.4**: Reduce access token expiry to 5 minutes
-  - **Scope**: `veza-backend-api/internal/services/jwt.go` - Change expiry
-  - **Dependencies**: None
+- [x] **Action 5.1.1.4**: Reduce access token expiry to 5 minutes
+  - **Scope**: `veza-backend-api/internal/services/jwt_service.go` - Change expiry
+  - **Dependencies**: None ✅
  - **Risk**: MEDIUM
-  - **Validation**: Tokens expire in 5 min
-  - **Rollback**: Restore original expiry
+  - **Validation**: ✅ Tokens expire in 5 min:
+    - Changed default `AccessTokenTTL` from 15 minutes to 5 minutes in `jwt_service.go`
+    - Updated test mock in `mocks_test.go` to match new default (5 minutes)
+    - All references to `AccessTokenTTL` automatically use new value
+    - Tests pass successfully
+    - No breaking changes - frontend already handles token refresh
+  - **Rollback**: Restore original expiry (15 minutes)

 - [ ] **Action 5.1.1.5**: Implement proactive refresh every 4 minutes
  - **Scope**: `apps/web/src/services/tokenRefresh.ts` - Refresh before expiry
--- a/veza-backend-api/internal/core/auth/mocks_test.go
+++ b/veza-backend-api/internal/core/auth/mocks_test.go
@ -49,7 +49,7 @@ func (m *MockJWTService) GetConfig() *models.JWTConfig {
 	args := m.Called()
 	if args.Get(0) == nil {
 		return &models.JWTConfig{
-			AccessTokenTTL:            15 * time.Minute,
+			AccessTokenTTL:            5 * time.Minute, // Action 5.1.1.4: Updated to match new default
 			RefreshTokenTTL:           7 * 24 * time.Hour,
 			RememberMeRefreshTokenTTL: 30 * 24 * time.Hour,
 		}
--- a/veza-backend-api/internal/services/jwt_service.go
+++ b/veza-backend-api/internal/services/jwt_service.go
@ -34,8 +34,9 @@ func NewJWTService(secret, issuer, audience string) (*JWTService, error) {
 	}

 	// Default config
+	// Action 5.1.1.4: Reduced access token expiry to 5 minutes for improved security
 	config := &models.JWTConfig{
-		AccessTokenTTL:  15 * time.Minute,
+		AccessTokenTTL:  5 * time.Minute,
 		RefreshTokenTTL: 30 * 24 * time.Hour,
 	}