Skip to content

Default or zero expiry time in access token makes it valid even if it's expired #738

Closed as not planned
@nregati

Description

@nregati

For some token endpoints out there, if the access token response doesn't contain the expires_in field, while unmarshaling this response body, it assigns a default or zero time 0001-01-01 00:00:00 +0000 as the expiry.

This causes the access token to be valid in the below func expired() even if it's expired. Ideally, the zero time is before the current time; should it invalidate this? Should the below code return true when if t.Expiry.IsZero() ?

[email protected]/token.go

// timeNow is time.Now but pulled out as a variable for tests.
var timeNow = time.Now

// expired reports whether the token is expired.
// t must be non-nil.
func (t *Token) expired() bool {
	if t.Expiry.IsZero() {
		return false
	}

	expiryDelta := defaultExpiryDelta
	if t.expiryDelta != 0 {
		expiryDelta = t.expiryDelta
	}
	return t.Expiry.Round(0).Add(-expiryDelta).Before(timeNow())
}

// Valid reports whether t is non-nil, has an AccessToken, and is not expired.
func (t *Token) Valid() bool {
	return t != nil && t.AccessToken != "" && !t.expired()
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions