Adjusted jwt access token exp expiry value to 5 days from seven, also confirmed it works and an expired token loses access and adjusted the skew to 0

server/AyaNova/Controllers/AuthController.cs

@@ -32,7 +32,7 @@ namespace AyaNova.Api.Controllers
         private readonly ILogger<AuthController> log;
         private readonly IConfiguration _configuration;
         private readonly ApiServerState serverState;
-        private const int JWT_LIFETIME_DAYS = 7;
+        private const int JWT_LIFETIME_DAYS = 5;
 
         /// <summary>
         /// ctor
@@ -313,7 +313,25 @@ namespace AyaNova.Api.Controllers
 
             //create a new datetime offset of now in utc time
             var iat = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);//timespan zero means zero time off utc / specifying this is a UTC datetime
+            
+            //###################################
+            //Lifetime of jwt token
+            //after this point the user will no longer be able to make requests without logging in again 
+            //and the client will automatically send them to the login screen          
+            //so this is auto logout after this time period
+            
+            //security wise  the length of time is not an issue how long this is because our system allows to revoke tokens as they are checked on every access
+            //the adivce online is to make it short and use refresh tokens but that's not an issue with our system since we both issue and validate
+            //the tokens ourselves
+
+            //The only down side is that an expired license at the server will not prevent people from continuing to work until their token expires
+            //an expired license only stops a fresh login
+            //so whatever this value is will allow people who haven't logged out to continue to work until it expires
+
+            //so this really only controls how long we allow them to work with an expired ayanova license which would be a rare occurence I suspect 
+            //so really to prevent fuckery for people 5 days seems fine meaning they won't need to sign in again all business week if they want to continue working
             var exp = new DateTimeOffset(DateTime.Now.AddDays(JWT_LIFETIME_DAYS).ToUniversalTime(), TimeSpan.Zero);
+            
 
 
             //=============== download token ===================                  
@@ -602,7 +620,7 @@ namespace AyaNova.Api.Controllers
             //https://github.com/google/google-authenticator/wiki/Key-Uri-Format
             //otpauth://totp/ACME%20Co:john.doe@email.com?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30
             //this format tested and works with Google, Microsoft Authy, Duo authenticators
-            string payload = $"otpauth://totp/AyaNova:{u.Name}?secret={u.TotpSecret}&issuer=AyaNova&algorithm=SHA1&digits=6&period=30";
+            string payload = $"otpauth://totp/AyaNova:{u.Name}?secret={u.TotpSecret}&issuer=AyaNova&algorithm=SHA1&digits=6&period=30";//NOTE: the 30 here is seconds the totp code is allowed to be used before a new one is required
 
             QRCodeGenerator qrGenerator = new QRCodeGenerator();
             QRCodeData qrCodeData = qrGenerator.CreateQrCode(payload, QRCodeGenerator.ECCLevel.Q);

server/AyaNova/Startup.cs

@@ -295,7 +295,7 @@ namespace AyaNova
                         // Token will only be valid if not expired yet, with 5 minutes clock skew.
                         ValidateLifetime = true,
                         RequireExpirationTime = true,
-                        ClockSkew = new TimeSpan(0, 5, 0),
+                        ClockSkew = TimeSpan.Zero//new TimeSpan(0, 0, 2),
                     };
                 });