refactor(jwt): unify jwt configuration and token expiration handling

- Consolidate JWT configuration in settings with unified environment variables
- Remove hardcoded expiration values and use settings defaults
- Add backward compatibility for legacy JWT config variables
- Update token generation to use new configuration approach

app/core/config.py

@@ -12,9 +12,23 @@ class Settings:
     CACHE_URI: str = os.getenv("CACHE_URI")
     CACHE_K: str = os.getenv("CACHE_K")
 
-    # JWT
-    SECRET_KEY: str = os.getenv("SECRET_KEY", "B00Kmyservice@7")
-    ALGORITHM: str = os.getenv("ALGORITHM", "HS256")
+    # JWT (Unified across services)
+    # Prefer JWT_* envs; fall back to legacy names to ensure compatibility
+    JWT_SECRET_KEY: str = os.getenv("JWT_SECRET_KEY") or os.getenv("SECRET_KEY", "B00Kmyservice@7")
+    JWT_ALGORITHM: str = os.getenv("JWT_ALGORITHM") or os.getenv("ALGORITHM", "HS256")
+    JWT_ACCESS_TOKEN_EXPIRE_MINUTES: int = int(
+        os.getenv("JWT_ACCESS_TOKEN_EXPIRE_MINUTES", os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "480"))
+    )
+    JWT_REFRESH_TOKEN_EXPIRE_DAYS: int = int(
+        os.getenv("JWT_REFRESH_TOKEN_EXPIRE_DAYS", os.getenv("REFRESH_TOKEN_EXPIRE_DAYS", "7"))
+    )
+    JWT_TEMP_TOKEN_EXPIRE_MINUTES: int = int(
+        os.getenv("JWT_TEMP_TOKEN_EXPIRE_MINUTES", os.getenv("TEMP_TOKEN_EXPIRE_MINUTES", "10"))
+    )
+
+    # Backward compatibility: keep legacy attributes pointing to unified values
+    SECRET_KEY: str = JWT_SECRET_KEY
+    ALGORITHM: str = JWT_ALGORITHM
 
     # Twilio SMS
     TWILIO_ACCOUNT_SID: str = os.getenv("TWILIO_ACCOUNT_SID")

app/routers/user_router.py

@@ -254,7 +254,7 @@ async def oauth_login_handler(payload: OAuthLoginRequest, request: Request):
             "verified": True,
             "provider": payload.provider,
             "user_info": user_info
-        }, expires_minutes=10)
+        })
 
         # Log temporary OAuth session token (truncated)
         logger.info(f"OAuth temp token generated (first 25 chars): {temp_token[:25]}...")
@@ -327,19 +327,19 @@ async def refresh_token_handler(refresh_token: str = Depends(get_bearer_token)):
         # Create new access token
         access_token = create_access_token({
             "sub": customer_id
-        }, expires_minutes=60)  # 1 hour access token
+        })
         
         # Optionally create a new refresh token (refresh token rotation)
         new_refresh_token = create_refresh_token({
             "sub": customer_id
-        }, expires_days=7)  # 7 days refresh token
+        })
         
         logger.info(f"New access token generated for user: {customer_id}")
         
         return {
             "access_token": access_token,
             "token_type": "bearer",
-            "expires_in": 3600,  # 1 hour in seconds
+            "expires_in": settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES * 60,
             "refresh_token": new_refresh_token,
             "customer_id": customer_id
         }

app/schemas/user_schema.py

@@ -121,7 +121,7 @@ class OAuthLoginRequest(BaseModel):
 class TokenResponse(BaseModel):
     access_token: str
     token_type: str = "bearer"
-    expires_in: Optional[int] = 28800  # 8 hours in seconds
+    expires_in: Optional[int] = None
     refresh_token: Optional[str] = None
     customer_id: Optional[str] = None
     name: Optional[str] = None

app/services/user_service.py

@@ -108,18 +108,18 @@ class UserService:
             logger.info("Creating JWT token for authenticated user")
             token_data = {
                 "sub": user.get("customer_id"),
-                "exp": datetime.utcnow() + timedelta(hours=8)
+                "exp": datetime.utcnow() + timedelta(minutes=settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES)
             }
             logger.info(f"Token data: {token_data}")
             
-            access_token = jwt.encode(token_data, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+            access_token = jwt.encode(token_data, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
             
             # Create refresh token
             refresh_token_data = {
                 "sub": user.get("customer_id"),
-                "exp": datetime.utcnow() + timedelta(days=7)
+                "exp": datetime.utcnow() + timedelta(days=settings.JWT_REFRESH_TOKEN_EXPIRE_DAYS)
             }
-            refresh_token = jwt.encode(refresh_token_data, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+            refresh_token = jwt.encode(refresh_token_data, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
             
             # Log generated tokens (truncated for security)
             logger.info(f"Access token generated (first 25 chars): {access_token}...")
@@ -131,7 +131,7 @@ class UserService:
                 "access_token": access_token, 
                 "refresh_token": refresh_token,
                 "token_type": "bearer", 
-                "expires_in": 28800,
+                "expires_in": settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES * 60,
                 "customer_id": user.get("customer_id"),
                 "name": user.get("name"),
                 "email": user.get("email"),
@@ -218,16 +218,16 @@ class UserService:
                     
                     token_data = {
                         "sub": existing_user["customer_id"],
-                        "exp": datetime.utcnow() + timedelta(hours=8)
+                        "exp": datetime.utcnow() + timedelta(minutes=settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES)
                     }
-                    access_token = jwt.encode(token_data, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+                    access_token = jwt.encode(token_data, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
                     
                     # Create refresh token
                     refresh_token_data = {
                         "sub": existing_user["customer_id"],
-                        "exp": datetime.utcnow() + timedelta(days=7)
+                        "exp": datetime.utcnow() + timedelta(days=settings.JWT_REFRESH_TOKEN_EXPIRE_DAYS)
                     }
-                    refresh_token = jwt.encode(refresh_token_data, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+                    refresh_token = jwt.encode(refresh_token_data, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
                     
                     # Log generated tokens for existing linked user (truncated)
                     logger.info(f"Access token for existing user (first 25 chars): {access_token[:25]}...")
@@ -237,7 +237,7 @@ class UserService:
                         "access_token": access_token,
                         "refresh_token": refresh_token,
                         "token_type": "bearer",
-                        "expires_in": 28800
+                        "expires_in": settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES * 60
                     }
             
             # Generate a new UUID for customer_id instead of provider-prefixed ID
@@ -284,17 +284,17 @@ class UserService:
 
         token_data = {
             "sub": customer_id,
-            "exp": datetime.utcnow() + timedelta(hours=8)
+            "exp": datetime.utcnow() + timedelta(minutes=settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES)
         }
 
-        access_token = jwt.encode(token_data, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+        access_token = jwt.encode(token_data, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
         
         # Create refresh token
         refresh_token_data = {
             "sub": customer_id,
-            "exp": datetime.utcnow() + timedelta(days=7)
+            "exp": datetime.utcnow() + timedelta(days=settings.JWT_REFRESH_TOKEN_EXPIRE_DAYS)
         }
-        refresh_token = jwt.encode(refresh_token_data, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+        refresh_token = jwt.encode(refresh_token_data, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
         
         # Log generated tokens for new registration (truncated)
         logger.info(f"Access token on register (first 25 chars): {access_token[:25]}...")
@@ -304,7 +304,7 @@ class UserService:
             "access_token": access_token,
             "refresh_token": refresh_token,
             "token_type": "bearer",
-            "expires_in": 28800,
+            "expires_in": settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES * 60,
             "customer_id": customer_id,
             "name": data.name,
             "email": data.email,

app/utils/jwt.py

@@ -6,11 +6,14 @@ from datetime import datetime, timedelta
 from fastapi import Depends, HTTPException, status
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from typing import Optional
-import os
+from app.core.config import settings
 import logging
 
-SECRET_KEY = os.getenv("JWT_SECRET_KEY", "secret-key-placeholder")
-ALGORITHM = "HS256"
+SECRET_KEY = settings.JWT_SECRET_KEY
+ALGORITHM = settings.JWT_ALGORITHM
+ACCESS_EXPIRE_MINUTES_DEFAULT = settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES
+REFRESH_EXPIRE_DAYS_DEFAULT = settings.JWT_REFRESH_TOKEN_EXPIRE_DAYS
+TEMP_EXPIRE_MINUTES_DEFAULT = settings.JWT_TEMP_TOKEN_EXPIRE_MINUTES
 
 # Security scheme
 security = HTTPBearer()
@@ -18,7 +21,7 @@ security = HTTPBearer()
 # Module logger (app-level logging config applies)
 logger = logging.getLogger(__name__)
 
-def create_access_token(data: dict, expires_minutes: int = 60):
+def create_access_token(data: dict, expires_minutes: int = ACCESS_EXPIRE_MINUTES_DEFAULT):
     to_encode = data.copy()
     expire = datetime.utcnow() + timedelta(minutes=expires_minutes)
     to_encode.update({"exp": expire})
@@ -34,7 +37,7 @@ def create_access_token(data: dict, expires_minutes: int = 60):
     )
     return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
 
-def create_refresh_token(data: dict, expires_days: int = 7):
+def create_refresh_token(data: dict, expires_days: int = REFRESH_EXPIRE_DAYS_DEFAULT):
     to_encode = data.copy()
     expire = datetime.utcnow() + timedelta(days=expires_days)
     to_encode.update({"exp": expire, "type": "refresh"})
@@ -46,7 +49,7 @@ def create_refresh_token(data: dict, expires_days: int = 7):
     )
     return jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
 
-def create_temp_token(data: dict, expires_minutes: int = 10):
+def create_temp_token(data: dict, expires_minutes: int = TEMP_EXPIRE_MINUTES_DEFAULT):
     logger.info("Creating temporary access token with short expiry")
     return create_access_token(data, expires_minutes=expires_minutes)
 

scripts/generate_token.py

@@ -0,0 +1,22 @@
+import sys
+from pathlib import Path
+from jose import jwt
+from datetime import datetime, timedelta, timezone
+
+# Ensure project root is importable so 'app' package resolves correctly
+ROOT = Path(__file__).resolve().parents[1]
+if str(ROOT) not in sys.path:
+    sys.path.insert(0, str(ROOT))
+
+from app.core.config import settings
+
+def main():
+    payload = {
+        "sub": "test-customer-123",
+        "exp": datetime.now(timezone.utc) + timedelta(minutes=settings.JWT_ACCESS_TOKEN_EXPIRE_MINUTES),
+    }
+    token = jwt.encode(payload, settings.JWT_SECRET_KEY, algorithm=settings.JWT_ALGORITHM)
+    print(token)
+
+if __name__ == "__main__":
+    main()