fix(java): offset via requestOptions

Author: dgawande12

README.md

@@ -189,15 +189,14 @@ Default behaviour:
 - Calls to `getAccessToken()` (or `getAccessToken(false)`) reuse the cached token while it is still considered valid under this adjusted expiry.
 - `getAccessToken(true)` always forces a fresh token (bypasses cache).
 
-You can override the proactive offset by supplying a custom value (milliseconds) via the constructor overload.
+You can override the proactive offset by configuring it in `RequestOptions`:
 
 #### Example
 ```java
-ConfidentialClient client10s = new ConfidentialClient(
-    "./path/to/config.json",
-    RequestOptions.builder().build(),
-    10000L // 10 second proactive expiry offset
-);
+RequestOptions options10s = RequestOptions.builder()
+    .accessTokenExpiryOffsetMillis(90_000L) // 90 seconds
+    .build();
+ConfidentialClient client10s = new ConfidentialClient("./path/to/config.json", options10s);
 ```
 
 ## Modules

src/main/java/com/factset/sdk/utils/authentication/ConfidentialClient.java

@@ -67,7 +67,7 @@ public class ConfidentialClient implements OAuth2Client {
     public ConfidentialClient(final String configPath)
         throws AuthServerMetadataContentException, AuthServerMetadataException,
         ConfigurationException {
-        this(new Configuration(configPath), RequestOptions.builder().build(), Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS);
+        this(new Configuration(configPath), RequestOptions.builder().build());
     }
 
     /**
@@ -85,19 +85,7 @@ public ConfidentialClient(final String configPath)
     public ConfidentialClient(final String configPath, RequestOptions requestOptions)
             throws AuthServerMetadataContentException, AuthServerMetadataException,
             ConfigurationException {
-        this(new Configuration(configPath), requestOptions, Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS);
-    }
-
-    /**
-     * Creates a new ConfidentialClient with a custom proactive expiry offset.
-     * @param configPath path to config file
-     * @param requestOptions request options (proxy/ssl)
-     * @param accessTokenExpiryOffsetMillis milliseconds subtracted from server expiry (non-negative)
-     */
-    public ConfidentialClient(final String configPath, RequestOptions requestOptions, long accessTokenExpiryOffsetMillis)
-            throws AuthServerMetadataContentException, AuthServerMetadataException,
-            ConfigurationException {
-        this(new Configuration(configPath), requestOptions, accessTokenExpiryOffsetMillis);
+        this(new Configuration(configPath), requestOptions);
     }
 
     /**
@@ -112,7 +100,7 @@ public ConfidentialClient(final String configPath, RequestOptions requestOptions
      */
     public ConfidentialClient(final Configuration config)
         throws AuthServerMetadataContentException, AuthServerMetadataException {
-        this(config, RequestOptions.builder().build(), Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS);
+        this(config, RequestOptions.builder().build());
     }
 
     /**
@@ -128,22 +116,11 @@ public ConfidentialClient(final Configuration config)
      */
     public ConfidentialClient(final Configuration config, RequestOptions requestOptions)
             throws AuthServerMetadataContentException, AuthServerMetadataException {
-        this(config, requestOptions, Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS);
-    }
-
-    /**
-     * Core constructor with configurable access token proactive expiry offset.
-     * @param config configuration
-     * @param requestOptions request options
-     * @param accessTokenExpiryOffsetMillis milliseconds to subtract from token lifetime when computing internal expiry
-     */
-    public ConfidentialClient(final Configuration config, RequestOptions requestOptions, long accessTokenExpiryOffsetMillis)
-            throws AuthServerMetadataContentException, AuthServerMetadataException {
         Objects.requireNonNull(config, "Configuration object must not be null");
         this.config = config;
         LOGGER.debug("Finished initialising configuration");
         this.requestOptions = requestOptions == null ? RequestOptions.builder().build() : requestOptions;
-        this.accessTokenExpiryOffsetMillis = accessTokenExpiryOffsetMillis;
+        this.accessTokenExpiryOffsetMillis = this.requestOptions.getAccessTokenExpiryOffsetMillis();
         this.requestProviderMetadata();
     }
 
@@ -163,7 +140,7 @@ protected ConfidentialClient(final String configPath, final TokenRequestBuilder
         throws AuthServerMetadataContentException,
         AuthServerMetadataException,
         ConfigurationException {
-        this(new Configuration(configPath), RequestOptions.builder().build(), Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS);
+        this(new Configuration(configPath), RequestOptions.builder().build());
         this.tokenRequestBuilder = tokReqBuilder.uri(this.providerMetadata.getTokenEndpointURI());
     }
 
@@ -181,7 +158,7 @@ protected ConfidentialClient(final String configPath, final TokenRequestBuilder
     protected ConfidentialClient(final Configuration config, final TokenRequestBuilder tokReqBuilder)
         throws AuthServerMetadataContentException,
         AuthServerMetadataException {
-        this(config, RequestOptions.builder().build(), Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS);
+        this(config, RequestOptions.builder().build());
         this.tokenRequestBuilder = tokReqBuilder.uri(this.providerMetadata.getTokenEndpointURI());
     }
 
@@ -200,7 +177,7 @@ protected ConfidentialClient(final Configuration config, final TokenRequestBuild
     protected ConfidentialClient(final Configuration config, final TokenRequestBuilder tokReqBuilder, RequestOptions requestOptions)
             throws AuthServerMetadataContentException,
             AuthServerMetadataException {
-        this(config, requestOptions, Constants.DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS);
+        this(config, requestOptions);
         this.tokenRequestBuilder = tokReqBuilder.uri(this.providerMetadata.getTokenEndpointURI());
     }
 
@@ -306,9 +283,21 @@ private String fetchAccessToken() throws AccessTokenException, SigningJwsExcepti
 
         if (tokenRes.indicatesSuccess()) {
             this.accessToken = tokenRes.toSuccessResponse().getTokens().getAccessToken();
-            this.accessTokenExpireTime =
-                this.jwsIssuedAt + TimeUnit.SECONDS.toMillis(this.accessToken.getLifetime()) - this.accessTokenExpiryOffsetMillis;
-            LOGGER.info("Fetched access token which expires in: {} seconds (buffered)", this.accessToken.getLifetime());
+            long lifetimeMillis = TimeUnit.SECONDS.toMillis(this.accessToken.getLifetime());
+            long rawOffset = this.accessTokenExpiryOffsetMillis;
+
+            long clampedOffset;
+            if (rawOffset >= 899_000L) {
+                clampedOffset = 899_000L - 1;
+                LOGGER.warn("Proactive expiry offset {}ms >= 899 seconds. Clamped to {}ms.", rawOffset, clampedOffset);
+            } else {
+                clampedOffset = rawOffset;
+            }
+
+            long effectiveLifetime = lifetimeMillis - clampedOffset;
+            this.accessTokenExpireTime = this.jwsIssuedAt + effectiveLifetime;
+            LOGGER.info("Fetched access token (serverLifetime={}s, offsetApplied={}ms, effectiveLifetime={}ms)",
+                    this.accessToken.getLifetime(), clampedOffset, effectiveLifetime);
             return this.accessToken.toString();
         }
 

src/main/java/com/factset/sdk/utils/authentication/Constants.java

@@ -13,11 +13,6 @@ public final class Constants {
     // default values
     public static final String FACTSET_WELL_KNOWN_URI = "https://auth.factset.com/.well-known/openid-configuration";
 
-    /**
-     * Default buffer (in milliseconds) to refresh access token before actual expiry.
-     */
-    public static final long DEFAULT_ACCESS_TOKEN_EXPIRY_OFFSET_MILLIS = 30000L;
-
     private Constants() {
         throw new IllegalStateException("Utility class");
     }

src/main/java/com/factset/sdk/utils/authentication/RequestOptions.java

@@ -22,4 +22,7 @@ public class RequestOptions {
 
     @Builder.Default
     String userAgent = "fds-sdk/java/utils/1.1.5 (" + System.getProperty("os.name") + "; Java" + System.getProperty("java.version") + ")";
+
+    @Builder.Default
+    long accessTokenExpiryOffsetMillis = 30_000L;
 }

src/test/java/com/factset/sdk/utils/authentication/ConfidentialClientTest.java

@@ -361,6 +361,62 @@ void accessTokenFiftySecondOffsetTriggersRefetchAfterEarlyExpirySingleToken() th
         verify(harness.httpRequestMock, times(2)).send();
     }
 
+    @Test
+    void accessTokenDefaultOffsetUsesThirtySeconds() throws Exception {
+        RequestOptions defaultOptions = RequestOptions.builder().build();
+        TestHarness harness = createClientTokenCustomOffset(30_000L);
+
+        String token = harness.client.getAccessToken();
+        assertEquals("tokenSingle", token);
+
+        assertEquals(30_000L, defaultOptions.getAccessTokenExpiryOffsetMillis(), "RequestOptions should have default 30s offset");
+
+        java.lang.reflect.Field issuedAtField = ConfidentialClient.class.getDeclaredField("jwsIssuedAt");
+        java.lang.reflect.Field expiryField = ConfidentialClient.class.getDeclaredField("accessTokenExpireTime");
+        issuedAtField.setAccessible(true);
+        expiryField.setAccessible(true);
+
+        long issuedAt = (long) issuedAtField.get(harness.client);
+        long internalExpiry = (long) expiryField.get(harness.client);
+        long expectedDelta = 899_000L - 30_000L;
+        assertEquals(expectedDelta, internalExpiry - issuedAt, "Internal expiry should be lifetime - default offset");
+    }
+
+    @Test
+    void accessTokenNegativeOffsetExtendsLifetime() throws Exception {
+        TestHarness harness = createClientTokenCustomOffset(-10_000L);
+
+        String first = harness.client.getAccessToken();
+        assertEquals("tokenSingle", first);
+        verify(harness.httpRequestMock, times(1)).send();
+
+        java.lang.reflect.Field issuedAtField = ConfidentialClient.class.getDeclaredField("jwsIssuedAt");
+        java.lang.reflect.Field expiryField = ConfidentialClient.class.getDeclaredField("accessTokenExpireTime");
+        issuedAtField.setAccessible(true);
+        expiryField.setAccessible(true);
+        long issuedAt = (long) issuedAtField.get(harness.client);
+        long internalExpiry = (long) expiryField.get(harness.client);
+        long expectedDelta = 899_000L - (-10_000L);
+        assertEquals(expectedDelta, internalExpiry - issuedAt, "Negative offset should extend lifetime");
+    }
+
+    @Test
+    void accessTokenLargeOffsetGetsClampedToUnder899Seconds() throws Exception {
+        TestHarness harness = createClientTokenCustomOffset(900_000L);
+
+        String first = harness.client.getAccessToken();
+        assertEquals("tokenSingle", first);
+
+        java.lang.reflect.Field issuedAtField = ConfidentialClient.class.getDeclaredField("jwsIssuedAt");
+        java.lang.reflect.Field expiryField = ConfidentialClient.class.getDeclaredField("accessTokenExpireTime");
+        issuedAtField.setAccessible(true);
+        expiryField.setAccessible(true);
+        long issuedAt = (long) issuedAtField.get(harness.client);
+        long internalExpiry = (long) expiryField.get(harness.client);
+        long expectedDelta = 899_000L - (899_000L - 1);
+        assertEquals(expectedDelta, internalExpiry - issuedAt, "Large offset should be clamped, leaving 1ms effective lifetime");
+    }
+
     private static TestHarness createClientTokenCustomOffset(long offsetMillis) throws Exception {
         HttpURLConnection mockedConn = mock(HttpURLConnection.class);
         URL mockedURL = getUrlMockResponse("exampleResponseWellKnownUri.txt", mockedConn);
@@ -380,7 +436,11 @@ private static TestHarness createClientTokenCustomOffset(long offsetMillis) thro
         doReturn(httpRequestMock).when(tokenRequestMock).toHTTPRequest();
         when(httpRequestMock.send()).thenReturn(res, res);
 
-        ConfidentialClient client = new ConfidentialClient(configurationMock, RequestOptions.builder().build(), offsetMillis);
+        RequestOptions requestOptionsWithOffset = RequestOptions.builder()
+            .accessTokenExpiryOffsetMillis(offsetMillis)
+            .build();
+
+        ConfidentialClient client = new ConfidentialClient(configurationMock, requestOptionsWithOffset);
         java.lang.reflect.Field f = ConfidentialClient.class.getDeclaredField("tokenRequestBuilder");
         f.setAccessible(true);
         f.set(client, tokenRequestBuilderSpy);