From ae4be91d525cb52c922822f39d87bceaf380a49e Mon Sep 17 00:00:00 2001
From: Eli Ribble <eli@gleipnir.technology>
Date: Thu, 13 Nov 2025 15:15:35 +0000
Subject: [PATCH] Use max refresh token expiration time in production

Keep the value low for dev so that I can test that we recover well.
---
 arcgis.go   | 16 +++++++++++++---
 endpoint.go |  3 +--
 main.go     | 15 ++++++++++++++-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/arcgis.go b/arcgis.go
index 5330fcfa..3777868d 100644
--- a/arcgis.go
+++ b/arcgis.go
@@ -56,7 +56,7 @@ type OAuthTokenResponse struct {
 }
 
 // Build the ArcGIS authorization URL with PKCE
-func buildArcGISAuthURL(clientID string, expiration int) string {
+func buildArcGISAuthURL(clientID string) string {
 	baseURL := "https://www.arcgis.com/sharing/rest/oauth2/authorize/"
 
 	params := url.Values{}
@@ -65,6 +65,16 @@ func buildArcGISAuthURL(clientID string, expiration int) string {
 	params.Add("response_type", "code")
 	//params.Add("code_challenge", generateCodeChallenge(codeVerifier))
 	//params.Add("code_challenge_method", "S256")
+
+	// See https://developers.arcgis.com/rest/users-groups-and-items/token/
+	// expiration is defined in minutes
+	var expiration int
+	if IsProductionEnvironment() {
+		// 2 weeks is the maximum allowed
+		expiration = 20160
+	} else {
+		expiration = 20
+	}
 	params.Add("expiration", strconv.Itoa(expiration))
 
 	return baseURL + "?" + params.Encode()
@@ -456,8 +466,8 @@ func maintainOAuth(ctx context.Context, oauth *models.OauthToken) error {
 		if err != nil {
 			return fmt.Errorf("Failed to update oauth token from database: %v", err)
 		}
-		accessTokenDelay := time.Until(oauth.AccessTokenExpires) - (10 * time.Second)
-		refreshTokenDelay := time.Until(oauth.RefreshTokenExpires) - (10 * time.Second)
+		accessTokenDelay := time.Until(oauth.AccessTokenExpires) - (3 * time.Second)
+		refreshTokenDelay := time.Until(oauth.RefreshTokenExpires) - (3 * time.Second)
 		if oauth.AccessTokenExpires.Before(time.Now()) {
 			accessTokenDelay = 0
 		}
diff --git a/endpoint.go b/endpoint.go
index f73cf8dc..2df4833a 100644
--- a/endpoint.go
+++ b/endpoint.go
@@ -12,8 +12,7 @@ import (
 )
 
 func getArcgisOauthBegin(w http.ResponseWriter, r *http.Request) {
-	expiration := 60
-	authURL := buildArcGISAuthURL(ClientID, expiration)
+	authURL := buildArcGISAuthURL(ClientID)
 	http.Redirect(w, r, authURL, http.StatusFound)
 }
 
diff --git a/main.go b/main.go
index 9e867b68..d8c27d99 100644
--- a/main.go
+++ b/main.go
@@ -18,7 +18,7 @@ import (
 
 var sessionManager *scs.SessionManager
 
-var BaseURL, ClientID, ClientSecret string
+var BaseURL, ClientID, ClientSecret, Environment string
 
 func main() {
 	ClientID = os.Getenv("ARCGIS_CLIENT_ID")
@@ -40,6 +40,15 @@ func main() {
 	if bind == "" {
 		bind = ":9001"
 	}
+	Environment = os.Getenv("ENVIRONMENT")
+	if Environment == "" {
+		slog.Error("You must specify a non-empty ENVIRONMENT")
+		os.Exit(1)
+	}
+	if !(Environment == "PRODUCTION" || Environment == "DEVELOPMENT") {
+		slog.Error("ENVIRONMENT should be either DEVELOPMENT or PRODUCTION", slog.String("ENVIRONMENT", Environment))
+		os.Exit(2)
+	}
 	pg_dsn := os.Getenv("POSTGRES_DSN")
 	if pg_dsn == "" {
 		slog.Error("You must specify a non-empty POSTGRES_DSN")
@@ -132,3 +141,7 @@ func main() {
 
 	slog.Info("Shutdown complete")
 }
+
+func IsProductionEnvironment() bool {
+	return Environment == "PRODUCTION"
+}