fix(auth): validate JWT secret length, equalize login timing, reduce TTL to 24h

crates/bootstrap/src/factory.rs

@@ -1,4 +1,5 @@
-const JWT_TTL_SECS: i64 = 86_400 * 30;
+const JWT_TTL_SECS: i64 = 86_400; // 24 hours (was 30 days)
+const JWT_SECRET_MIN_BYTES: usize = 32; // 256 bits minimum for HS256
 
 use async_trait::async_trait;
 use sqlx::PgPool;
@@ -107,10 +108,16 @@ pub async fn build(cfg: &Config) -> Infrastructure {
         )),
         feed: Arc::new(postgres::feed::PgFeedRepository::new(pool.clone())),
         search: Arc::new(postgres_search::PgSearchRepository::new(pool.clone())),
-        auth: Arc::new(auth::JwtAuthService::new(
-            cfg.jwt_secret.clone(),
-            JWT_TTL_SECS,
-        )),
+        auth: Arc::new({
+            if cfg.jwt_secret.len() < JWT_SECRET_MIN_BYTES {
+                panic!(
+                    "JWT_SECRET is {} bytes — minimum is {} bytes for HS256 security",
+                    cfg.jwt_secret.len(),
+                    JWT_SECRET_MIN_BYTES,
+                );
+            }
+            auth::JwtAuthService::new(cfg.jwt_secret.clone(), JWT_TTL_SECS)
+        }),
         hasher: Arc::new(auth::Argon2PasswordHasher),
         events: event_publisher,
         federation: ap_service.clone() as Arc<dyn domain::ports::FederationActionPort>,