Extend password-set token TTL to 60 days

[Alexanderamiri]

Summary

• Extends password-set token lifetime from 48 hours to 60 days
• Removes time-based expiry check — tokens are enforced as single-use via DynamoDB jti dedup
• Updates DynamoDB dedup record TTL to 60 days to match
• Updates welcome email text: "gyldig i 48 timer" → "kan kun brukes én gang"

Test plan

• Test account alexander-test@java.no created with welcome email sent to alexanderamiri@hotmail.com
• Verify password-set link works after deploy
• Verify link cannot be reused after password is set

[github-actions]

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 2 to change, 0 to destroy.

Plan output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.lambdas.aws_lambda_function.password_set will be updated in-place
  ~ resource "aws_lambda_function" "password_set" {
        id                             = "javabin-password-set"
      ~ last_modified                  = "2026-03-26T20:01:54.962+0000" -> (known after apply)
      ~ source_code_hash               = "cnfbZclmmOihxEavJ9qzl0sWNVkMkSrS38/J9xrY64M=" -> "JtDyyH+119D/bjctlfRfw9sHFMuvF+0J+qJAEOzj0SE="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.lambdas.aws_lambda_function.team_provisioner will be updated in-place
  ~ resource "aws_lambda_function" "team_provisioner" {
        id                             = "javabin-team-provisioner"
      ~ last_modified                  = "2026-03-26T19:54:44.485+0000" -> (known after apply)
      ~ source_code_hash               = "L0rHrapn4tswy1SSUCZu6UHKOkGme4ZXtfJKUgNi+o0=" -> "jsKGWwFMmlUixdZyuNYiJ/4JdwuXeac/mjIxmWOe4cU="
        tags                           = {}
        # (21 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

---

LLM Review

Risk: 🟢 LOW

Routine Lambda function code updates for password_set and team_provisioner with no infrastructure changes.

• ✅ [routine] Lambda function password_set being updated in-place with new source code hash. No configuration changes, permissions, or triggers modified.
• ✅ [routine] Lambda function team_provisioner being updated in-place with new source code hash. No configuration changes, permissions, or triggers modified.
• ✅ [routine] No resources being created or destroyed. Plan shows 0 additions and 0 deletions - only 2 in-place updates to Lambda function code.
• ✅ [routine] No IAM policy changes, security group modifications, or access control updates in this plan.
• ✅ [routine] No cost-impacting changes. Existing infrastructure (ALB, NAT gateway, RDS, etc.) remains unchanged.