fix: handle missing expires_in in OAuth token response

[ecthelion77]

🐛 Bug-fix PR

📌 Summary

When an OAuth2 provider omits the expires_in field from the token response, the gateway crashes with a TypeError during token storage. The expires_in parameter is RECOMMENDED but not REQUIRED per RFC 6749 Section 5.1, so providers may legitimately omit it (e.g., GitHub OAuth Apps, some Azure AD configurations).

Fixes #3989

🔁 Reproduction Steps

1. Configure a gateway with OAuth2 pointing to a provider that does not return expires_in in the token response
2. Trigger the OAuth authorization code flow
3. Token exchange succeeds, but storing the token fails with TypeError: unsupported operand type(s) for +: 'datetime' and 'NoneType'

🐞 Root Cause

In oauth_manager.py, token_response.get("expires_in", self.settings.oauth_default_timeout) always returns a value, which hides the issue. However, when the provider returns expires_in: null or omits it entirely and the fallback default is also None, the code in token_storage_service.py tries to compute datetime.now() + timedelta(seconds=int(None)) which raises TypeError.

More importantly, the current code papers over the absence of expires_in by substituting oauth_default_timeout, which may not reflect the actual token lifetime — the token could be valid indefinitely.

💡 Fix Description

oauth_manager.py: Extract expires_in with .get() and explicitly convert to int only when present. Pass None when the provider does not specify expiration.

token_storage_service.py:

• Change expires_in parameter type from int to Optional[int]
• When expires_in is None, set expires_at = None and log an informational message
• When expires_in is provided, compute expires_at as before

The existing _is_token_expired() method already handles expires_at=None correctly (returns False, treating the token as non-expired).

🧪 Verification

Check	Command	Status
Lint suite	make lint	⚠️ Not run (no local dev env)
Unit tests	make test	⚠️ Not run (no local dev env)
Coverage ≥ 80 %	make coverage	⚠️ Not run (no local dev env)
Manual regression no longer fails	Tested in production (Kubernetes) for 2+ weeks with Freshservice OAuth (which returns expires_in) and verified graceful handling when expires_in is absent	✅

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted
• No secrets/credentials committed
• DCO Signed-off-by included

[ecthelion77]

Suggested labels: python, security

[jonpspri]

Hi @ecthelion77 — thanks again for catching this and shipping the original fix. After working through review feedback (refresh-path consistency, NULL-row cleanup, edge-case validation, dead-config cleanup), the diff grew enough that I wanted to share a tightened version with you, but I don't have push access to your fork (the maintainerCanModify flag only enables cross-repo push for users with SSH-collaborator access on the fork itself, not for upstream-only maintainers like me).

Rather than ask you to manually apply the changes, I've opened #4447 against main with your original commit preserved as the first commit (signed by you, full DCO intact) and the review fixes layered on top as separate commits so the attribution stays clear.

Closing this PR in favor of #4447. The fix you wrote will land — just under a different PR number. Really appreciate the contribution!