feat(auth): configure JWT issuer and expiry

- Added JWT issuer and expiry config to .env
- Updated JWT service to use config values
- Added TTL indexes for tokens and codes
- Improved database seeding with new indexes
- Configured CORS origin in environment

Author: fulleni

.env.example

@@ -15,3 +15,12 @@
 # This allows the client (e.g., the HT Dashboard) to make requests to the API.
 # For local development, this can be left unset as 'localhost' is allowed by default.
 # CORS_ALLOWED_ORIGIN="https://your-dashboard.com"
+
+# REQUIRED FOR PRODUCTION: The issuer URL for JWTs.
+# Defaults to 'http://localhost:8080' for local development if not set.
+# For production, this MUST be the public URL of your API.
+# JWT_ISSUER="https://api.your-domain.com"
+
+# OPTIONAL: The expiry duration for JWTs in hours.
+# Defaults to 1 hour if not set.
+# JWT_EXPIRY_HOURS="24"

lib/src/config/environment_config.dart

@@ -108,4 +108,20 @@ abstract final class EnvironmentConfig {
   /// This is used to configure CORS for production environments.
   /// Returns `null` if the variable is not set.
   static String? get corsAllowedOrigin => _env['CORS_ALLOWED_ORIGIN'];
+
+  /// Retrieves the JWT issuer URL from the environment.
+  ///
+  /// The value is read from the `JWT_ISSUER` environment variable.
+  /// Defaults to 'http://localhost:8080' if not set.
+  static String get jwtIssuer =>
+      _env['JWT_ISSUER'] ?? 'http://localhost:8080';
+
+  /// Retrieves the JWT expiry duration in hours from the environment.
+  ///
+  /// The value is read from the `JWT_EXPIRY_HOURS` environment variable.
+  /// Defaults to 1 hour if not set or if parsing fails.
+  static Duration get jwtExpiryDuration {
+    final hours = int.tryParse(_env['JWT_EXPIRY_HOURS'] ?? '1');
+    return Duration(hours: hours ?? 1);
+  }
 }

lib/src/services/database_seeding_service.dart

@@ -145,16 +145,27 @@ class DatabaseSeedingService {
         name: 'sources_text_index',
       );
 
+      // --- TTL and Unique Indexes via runCommand ---
+      // The following indexes are created using the generic `runCommand` because
+      // they require specific options not exposed by the simpler `createIndex`
+      // helper method in the `mongo_dart` library.
+      // Specifically, `expireAfterSeconds` is needed for TTL indexes.
+
       // Indexes for the verification codes collection
       await _db.runCommand({
         'createIndexes': kVerificationCodesCollection,
         'indexes': [
           {
+            // This is a TTL (Time-To-Live) index. MongoDB will automatically
+            // delete documents from this collection when the `expiresAt` field's
+            // value is older than the specified number of seconds (0).
             'key': {'expiresAt': 1},
             'name': 'expiresAt_ttl_index',
             'expireAfterSeconds': 0,
           },
           {
+            // This ensures that each email can only have one pending
+            // verification code at a time, preventing duplicates.
             'key': {'email': 1},
             'name': 'email_unique_index',
             'unique': true,
@@ -167,6 +178,8 @@ class DatabaseSeedingService {
         'createIndexes': kBlacklistedTokensCollection,
         'indexes': [
           {
+            // This is a TTL index. MongoDB will automatically delete documents
+            // (blacklisted tokens) when the `expiry` field's value is past.
             'key': {'expiry': 1},
             'name': 'expiry_ttl_index',
             'expireAfterSeconds': 0,

lib/src/services/jwt_auth_token_service.dart

@@ -32,35 +32,30 @@ class JwtAuthTokenService implements AuthTokenService {
   final TokenBlacklistService _blacklistService;
   final Logger _log;
 
-  // --- Configuration ---
-
-  // Define token issuer and default expiry duration
-  static const String _issuer = 'http://localhost:8080';
-  static const Duration _tokenExpiryDuration = Duration(hours: 1);
-
   // --- Interface Implementation ---
 
   @override
   Future<String> generateToken(User user) async {
     try {
       final now = DateTime.now();
-      final expiry = now.add(_tokenExpiryDuration);
+      final expiry = now.add(EnvironmentConfig.jwtExpiryDuration);
+      final issuer = EnvironmentConfig.jwtIssuer;
 
       final jwt = JWT(
         {
           // Standard claims
           'sub': user.id, // Subject (user ID) - REQUIRED
           'exp': expiry.millisecondsSinceEpoch ~/ 1000, // Expiration Time
           'iat': now.millisecondsSinceEpoch ~/ 1000, // Issued At
-          'iss': _issuer, // Issuer
+          'iss': issuer, // Issuer
           'jti': ObjectId().oid, // JWT ID (for potential blacklisting)
           // Custom claims (optional, include what's useful)
           'email': user.email, // Kept for convenience
           // Embed the new enum-based roles. Use .name for string value.
           'appRole': user.appRole.name,
           'dashboardRole': user.dashboardRole.name,
         },
-        issuer: _issuer,
+        issuer: issuer,
         subject: user.id,
         jwtId: ObjectId().oid, // Re-setting jti here for clarity if needed
       );
@@ -69,7 +64,7 @@ class JwtAuthTokenService implements AuthTokenService {
       final token = jwt.sign(
         SecretKey(EnvironmentConfig.jwtSecretKey),
         algorithm: JWTAlgorithm.HS256,
-        expiresIn: _tokenExpiryDuration, // Redundant but safe
+        expiresIn: EnvironmentConfig.jwtExpiryDuration, // Redundant but safe
       );
 
       _log.info('Generated JWT for user ${user.id}');