fix(examples): reject non-positive JWT_TTL at config load

aryeko · aryeko · commit 38cf3c747beb · 2026-02-07T20:16:20.000+02:00
diff --git a/examples/hello-mysql/cmd/api/main_test.go b/examples/hello-mysql/cmd/api/main_test.go
@@ -218,3 +218,12 @@ func TestLoadAppOptions_WithOverrides(t *testing.T) {
 		t.Fatalf("unexpected rate limits: %v/%d", got.RateLimitPerSecond, got.RateLimitBurst)
 	}
 }
+
+func TestLoadAppOptions_InvalidNonPositiveJWTTTL(t *testing.T) {
+	t.Setenv("JWT_TTL", "0s")
+
+	_, err := loadAppOptions()
+	if err == nil {
+		t.Fatalf("expected error for non-positive JWT_TTL")
+	}
+}
diff --git a/examples/hello-mysql/internal/modules/config/module.go b/examples/hello-mysql/internal/modules/config/module.go
@@ -1,6 +1,7 @@
 package config
 
 import (
+	"fmt"
 	"time"
 
 	mkconfig "github.com/go-modkit/modkit/modkit/config"
@@ -89,7 +90,7 @@ func (m *Module) Definition() module.ModuleDef {
 		mkconfig.WithTyped(TokenJWTTTL, mkconfig.ValueSpec[time.Duration]{
 			Key:     "JWT_TTL",
 			Default: &jwtTTLDefault,
-			Parse:   mkconfig.ParseDuration,
+			Parse:   parsePositiveDuration,
 		}, true),
 		mkconfig.WithTyped(TokenAuthUsername, mkconfig.ValueSpec[string]{
 			Key:     "AUTH_USERNAME",
@@ -141,3 +142,14 @@ func (m *Module) Definition() module.ModuleDef {
 		Exports: exportedTokens,
 	}
 }
+
+func parsePositiveDuration(raw string) (time.Duration, error) {
+	d, err := mkconfig.ParseDuration(raw)
+	if err != nil {
+		return 0, err
+	}
+	if d <= 0 {
+		return 0, fmt.Errorf("duration must be > 0")
+	}
+	return d, nil
+}
diff --git a/examples/hello-mysql/internal/modules/config/module_test.go b/examples/hello-mysql/internal/modules/config/module_test.go
@@ -1,10 +1,12 @@
 package config
 
 import (
+	"errors"
 	"reflect"
 	"testing"
 	"time"
 
+	mkconfig "github.com/go-modkit/modkit/modkit/config"
 	"github.com/go-modkit/modkit/modkit/kernel"
 	"github.com/go-modkit/modkit/modkit/module"
 )
@@ -114,3 +116,22 @@ func TestResolvesSourceOverrides(t *testing.T) {
 		t.Fatalf("unexpected RATE_LIMIT_BURST: %d err=%v", burst, err)
 	}
 }
+
+func TestRejectsNonPositiveJWTTTL(t *testing.T) {
+	src := mapSource{"JWT_TTL": "0s"}
+
+	app, err := kernel.Bootstrap(&rootModule{imports: []module.Module{NewModule(Options{Source: src})}})
+	if err != nil {
+		t.Fatalf("bootstrap failed: %v", err)
+	}
+
+	_, err = module.Get[time.Duration](app, TokenJWTTTL)
+	if err == nil {
+		t.Fatalf("expected JWT_TTL parse error")
+	}
+
+	var parseErr *mkconfig.ParseError
+	if !errors.As(err, &parseErr) {
+		t.Fatalf("expected ParseError, got %T", err)
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -218,3 +218,12 @@ func TestLoadAppOptions_WithOverrides(t *testing.T) {`
`218`	`218`	`t.Fatalf("unexpected rate limits: %v/%d", got.RateLimitPerSecond, got.RateLimitBurst)`
`219`	`219`	`}`
`220`	`220`	`}`
	`221`	`+`
	`222`	`+func TestLoadAppOptions_InvalidNonPositiveJWTTTL(t *testing.T) {`
	`223`	`+ t.Setenv("JWT_TTL", "0s")`
	`224`	`+`
	`225`	`+ _, err := loadAppOptions()`
	`226`	`+ if err == nil {`
	`227`	`+ t.Fatalf("expected error for non-positive JWT_TTL")`
	`228`	`+ }`
	`229`	`+}`