fix(config):add auth environment defaults

surfsense_backend/.env.example

@@ -81,9 +81,24 @@ STRIPE_RECONCILIATION_INTERVAL=10m
 
 SECRET_KEY=SECRET
 
-# JWT Token Lifetimes (optional, defaults shown)
-# ACCESS_TOKEN_LIFETIME_SECONDS=86400      # 1 day
-# REFRESH_TOKEN_LIFETIME_SECONDS=1209600   # 2 weeks
+# JWT/session lifetimes (optional, defaults shown)
+# ACCESS_TOKEN_LIFETIME_SECONDS=1800        # 30 minutes
+# REFRESH_TOKEN_LIFETIME_SECONDS=1209600    # 14-day inactivity window
+# REFRESH_ROTATION_GRACE_SECONDS=45
+# REFRESH_ABSOLUTE_LIFETIME_SECONDS=2592000 # 30-day absolute cap
+#
+# Web session cookies. Leave COOKIE_DOMAIN empty for self-hosted same-origin
+# Docker. In cloud, use .surfsense.com so api., zero., and the app share the
+# first-party session cookie.
+# SESSION_COOKIE_NAME=surfsense_session
+# REFRESH_COOKIE_NAME=surfsense_refresh
+# SESSION_COOKIE_SECURE_POLICY=auto
+# SESSION_COOKIE_SAMESITE=lax
+# COOKIE_DOMAIN=
+#
+# Comma-separated allow-list for cookie-session unsafe requests. Defaults also
+# include NEXT_FRONTEND_URL and SURFSENSE_PUBLIC_URL when set.
+# CSRF_ALLOWED_ORIGINS=http://localhost:3000
 # Personal Access Tokens (PATs). Empty/unset = no maximum; users may create
 # never-expiring PATs. When set, PAT creation requires an expiry <= this many days.
 # PAT_MAX_EXPIRY_DAYS=
@@ -115,6 +130,8 @@ REGISTRATION_ENABLED=TRUE or FALSE
 # For Google Auth Only
 GOOGLE_OAUTH_CLIENT_ID=924507538m
 GOOGLE_OAUTH_CLIENT_SECRET=GOCSV
+GOOGLE_DESKTOP_CLIENT_ID=your_google_desktop_client_id
+GOOGLE_DESKTOP_CLIENT_SECRET=your_google_desktop_client_secret
 GOOGLE_PICKER_API_KEY=your-google-picker-api-key
 
 # Google Connector Specific Configurations