Default or zero expiry time in access token makes it valid even if it's expired

[nregati]

For some token endpoints out there, if the access token response doesn't contain the expires_in field, while unmarshaling this response body, it assigns a default or zero time 0001-01-01 00:00:00 +0000 as the expiry.

This causes the access token to be valid in the below func expired() even if it's expired. Ideally, the zero time is before the current time; should it invalidate this? Should the below code return true when if t.Expiry.IsZero() ?

[email protected]/token.go

// timeNow is time.Now but pulled out as a variable for tests.
var timeNow = time.Now

// expired reports whether the token is expired.
// t must be non-nil.
func (t *Token) expired() bool {
	if t.Expiry.IsZero() {
		return false
	}

	expiryDelta := defaultExpiryDelta
	if t.expiryDelta != 0 {
		expiryDelta = t.expiryDelta
	}
	return t.Expiry.Round(0).Add(-expiryDelta).Before(timeNow())
}

// Valid reports whether t is non-nil, has an AccessToken, and is not expired.
func (t *Token) Valid() bool {
	return t != nil && t.AccessToken != "" && !t.expired()
}