Build 2602262030: add magent settings and hardening

backend/app/security.py

@@ -18,11 +18,30 @@ def verify_password(plain_password: str, hashed_password: str) -> bool:
     return _pwd_context.verify(plain_password, hashed_password)
 
 
+def _create_token(
+    subject: str,
+    role: str,
+    *,
+    expires_at: datetime,
+    token_type: str = "access",
+) -> str:
+    payload: Dict[str, Any] = {
+        "sub": subject,
+        "role": role,
+        "typ": token_type,
+        "exp": expires_at,
+    }
+    return jwt.encode(payload, settings.jwt_secret, algorithm=_ALGORITHM)
+
 def create_access_token(subject: str, role: str, expires_minutes: Optional[int] = None) -> str:
     minutes = expires_minutes or settings.jwt_exp_minutes
     expires = datetime.now(timezone.utc) + timedelta(minutes=minutes)
-    payload: Dict[str, Any] = {"sub": subject, "role": role, "exp": expires}
-    return jwt.encode(payload, settings.jwt_secret, algorithm=_ALGORITHM)
+    return _create_token(subject, role, expires_at=expires, token_type="access")
+
+
+def create_stream_token(subject: str, role: str, expires_seconds: int = 120) -> str:
+    expires = datetime.now(timezone.utc) + timedelta(seconds=max(30, int(expires_seconds or 120)))
+    return _create_token(subject, role, expires_at=expires, token_type="sse")
 
 
 def decode_token(token: str) -> Dict[str, Any]: