add configurable token TTL flag

Add --token-ttl flag to allow customizing token expiration duration
while keeping the default at 24 hours. The flag accepts standard Go
duration formats (e.g. 24h, 1h30m, 48h).

Changes:
- Add --token-ttl CLI flag with 24h default
- Move token TTL from constant to Config struct
- Update tests to use configurable TTL
- Update README documentation

Signed-off-by: Gustavo Chain <me@qustavo.cc>

Author: qustavo

README.md

@@ -40,6 +40,7 @@ l402proxy \
 | `--lnd-cert` | `~/.lnd/tls.cert` | Path to LND TLS cert |
 | `--service-name` | `l402proxy` | Label used in invoice memos |
 | `--secret-key` | auto-generated | Hex-encoded 32-byte HMAC secret (tokens won't survive restarts if omitted) |
+| `--token-ttl` | `24h` | Token expiration duration (e.g. `24h`, `1h30m`, `48h`) |
 
 ## L402 flow (curl example)
 
@@ -72,7 +73,7 @@ HTTP/1.1 200 OK
 
 ## Token format
 
-`base64url(json_payload).hex(hmac_sha256)` — stateless, no database required. Token TTL is 24 hours.
+`base64url(json_payload).hex(hmac_sha256)` — stateless, no database required. Token TTL is 24 hours by default (configurable via `--token-ttl`).
 
 ## Comparison with Aperture
 

cmd/l402proxy/main.go

@@ -10,6 +10,7 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/qustavo/l402proxy/pkg/lightning"
 	"github.com/qustavo/l402proxy/pkg/proxy"
@@ -60,6 +61,11 @@ func main() {
 				Name:  "secret-key",
 				Usage: "Hex-encoded 32-byte HMAC secret (auto-generated if omitted — tokens won't survive restarts)",
 			},
+			&cli.DurationFlag{
+				Name:  "token-ttl",
+				Usage: "Token expiration duration (e.g. 24h, 1h30m, 48h)",
+				Value: 24 * time.Hour,
+			},
 		},
 		Action: run,
 	}
@@ -106,6 +112,7 @@ func run(c *cli.Context) error {
 		Upstream:    upstream,
 		PriceMsat:   priceMsat,
 		ServiceName: c.String("service-name"),
+		TokenTTL:    c.Duration("token-ttl"),
 	}, backend, secret, log)
 
 	addr := c.String("listen")

pkg/proxy/handler.go

@@ -18,13 +18,12 @@ import (
 	"github.com/qustavo/l402proxy/pkg/macaroon"
 )
 
-const tokenTTL = 24 * time.Hour
-
 // Config holds the proxy handler settings.
 type Config struct {
 	Upstream    *url.URL
 	PriceMsat   int64
 	ServiceName string
+	TokenTTL    time.Duration
 }
 
 // Handler is an http.Handler that enforces L402 payment before proxying.
@@ -105,7 +104,7 @@ func (h *Handler) challenge(w http.ResponseWriter, r *http.Request) error {
 		return fmt.Errorf("creating invoice: %w", err)
 	}
 
-	token, err := h.tokens.Issue(inv.PaymentHash, tokenTTL)
+	token, err := h.tokens.Issue(inv.PaymentHash, h.cfg.TokenTTL)
 	if err != nil {
 		return fmt.Errorf("issuing token: %w", err)
 	}

pkg/proxy/handler_test.go

@@ -59,6 +59,7 @@ func newTestHandler(t *testing.T, upstream *httptest.Server, settled bool) (*Han
 		Upstream:    upstreamURL,
 		PriceMsat:   10_000,
 		ServiceName: "test",
+		TokenTTL:    24 * time.Hour,
 	}, backend, secret, slog.New(slog.NewTextHandler(io_discard{}, nil)))
 	return h, tokens
 }