fix: reduce token TTL to 14 days with 3-day refresh threshold

The previous 30-day TTL with 14-day refresh threshold left a narrow
window for refresh and kept stolen tokens valid for too long.
New values: 14-day TTL with 3-day refresh — active clients refresh
early and live indefinitely, inactive clients survive up to 2 weeks.

Supersedes #80 which proposed 24h TTL (too aggressive for paired
desktops that may be unused for a week).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: matej21

crates/okena-core/src/client/types.rs

@@ -85,8 +85,8 @@ pub enum ConnectionEvent {
     },
 }
 
-/// Token age threshold for refresh (14 days).
-pub const TOKEN_REFRESH_AGE_SECS: i64 = 14 * 24 * 3600;
+/// Token age threshold for refresh (3 days). Must be well under the 14-day server TTL.
+pub const TOKEN_REFRESH_AGE_SECS: i64 = 3 * 24 * 3600;
 
 #[cfg(test)]
 mod tests {

crates/okena-remote-client/src/manager.rs

@@ -362,7 +362,7 @@ impl RemoteConnectionManager {
     }
 
     /// Start a periodic token refresh task.
-    /// Checks every 10 minutes and refreshes tokens older than 20 hours.
+    /// Checks every 10 minutes and refreshes tokens older than 3 days.
     pub fn start_token_refresh_task(&self, cx: &mut Context<Self>) {
         let event_tx = self.event_tx.clone();
         let runtime = self.runtime.clone();

src/remote/auth.rs

@@ -11,8 +11,8 @@ use std::time::{Duration, Instant, SystemTime};
 
 type HmacSha256 = Hmac<Sha256>;
 
-/// Token time-to-live in seconds (30 days).
-pub const TOKEN_TTL_SECS: u64 = 30 * 24 * 3600;
+/// Token time-to-live in seconds (14 days).
+pub const TOKEN_TTL_SECS: u64 = 14 * 24 * 3600;
 
 /// A stored token record.
 #[allow(dead_code)]