api: make AUTHENTICATION_TOKEN_TTL configurable

Don't add it to the workflows yet because ecamp#8025 will make this a lot easier.
Has merge conflict with ecamp#8025

The ttl will be made shorter ones all users have refresh tokens.

Author: BacLuc

.helm/ecamp3/templates/api_configmap.yaml

@@ -7,6 +7,9 @@ metadata:
     {{- include "app.commonLabels" . | nindent 4 }}
 data:
   ADDITIONAL_TRUSTED_HOSTS: {{ .Values.domain | quote }}
+  {{- if not (.Values.api.authenticationTokenTtl | empty) }}
+  AUTHENTICATION_TOKEN_TTL: {{ .Values.api.authenticationTokenTtl | quote }}
+  {{- end }}
   COOKIE_PREFIX: {{ include "api.cookiePrefix" . | quote }}
   APP_ENV: {{ .Values.api.appEnv | quote }}
   APP_DEBUG: {{ .Values.api.appDebug | quote }}

.helm/ecamp3/values.yaml

@@ -18,6 +18,7 @@ featureToggle:
   checklist: false # enables checklist feature in frontend
 
 api:
+  authenticationTokenTtl:
   subpath: "/api"
   image:
     repository: "docker.io/ecamp/ecamp3-api"

api/.env

@@ -81,4 +81,6 @@ MAIL_FROM_NAME="eCamp v3"
 RECAPTCHA_SECRET="disabled"
 ###< google/recaptcha ###
 
+# Tokens are valid for 12 hours..
+AUTHENTICATION_TOKEN_TTL=43200
 TRANSLATE_ERRORS_TO_LOCALES="en,de,fr,it,rm"

api/config/packages/lexik_jwt_authentication.yaml

@@ -7,9 +7,7 @@ lexik_jwt_authentication:
     public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
     pass_phrase: '%env(JWT_PASSPHRASE)%'
 
-    # Tokens are valid for 12 hours, should be safe because we never expose the whole token to JavaScript.
-    # Of course it would be even better to have only short-lived tokens but renew them on every request.
-    token_ttl: 43200
+    token_ttl: '%env(AUTHENTICATION_TOKEN_TTL)%'
 
     # Read the JWT token from a split cookie: The [api-domain]_jwt_hp and [api-domain]_jwt_s cookies are combined with a period (.)
     # to form the full JWT token.