update access token expiry logic

CodeSchwert · CodeSchwert · commit bd4c8d0d8f93 · 2025-07-14T16:10:34.000+12:00
diff --git a/packages/passport/sdk/src/utils/token.test.ts b/packages/passport/sdk/src/utils/token.test.ts
@@ -7,16 +7,23 @@ import { isIdTokenExpired, isAccessTokenExpiredOrExpiring } from './token';
 const now = Math.floor(Date.now() / 1000);
 const oneHourLater = now + 3600;
 const oneHourBefore = now - 3600;
+const fifteenSecondsLater = now + 15;
+const fortyFiveSecondsLater = now + 45;
 
 const mockExpiredIdToken = encode({
   iat: oneHourBefore,
   exp: oneHourBefore,
 }, 'secret');
+
 export const mockValidIdToken = encode({
   iat: now,
   exp: oneHourLater,
 }, 'secret');
 
+const mockFreshAccessToken = encode({
+  exp: fortyFiveSecondsLater, // Expires in 45 seconds (outside 30-second buffer)
+}, 'secret');
+
 describe('isIdTokenExpired', () => {
   it('should return false if idToken is undefined', () => {
     expect(isIdTokenExpired(undefined)).toBe(false);
@@ -32,26 +39,83 @@ describe('isIdTokenExpired', () => {
 });
 
 describe('isAccessTokenExpiredOrExpiring', () => {
-  it('should return true if expired is true', () => {
+  it('should return true if access token is missing', () => {
     const user = {
       id_token: mockValidIdToken,
-      expired: true,
+      access_token: undefined,
+    } as unknown as OidcUser;
+    expect(isAccessTokenExpiredOrExpiring(user)).toBe(true);
+  });
+
+  it('should return true if id token is missing', () => {
+    const mockValidAccessToken = encode({
+      exp: oneHourLater,
+    }, 'secret');
+
+    const user = {
+      id_token: undefined,
+      access_token: mockValidAccessToken,
     } as unknown as OidcUser;
     expect(isAccessTokenExpiredOrExpiring(user)).toBe(true);
   });
 
-  it('should return false if idToken is valid', () => {
+  it('should return true if access token is expired', () => {
+    const mockExpiredAccessToken = encode({
+      exp: oneHourBefore,
+    }, 'secret');
+
     const user = {
       id_token: mockValidIdToken,
-      expired: false,
+      access_token: mockExpiredAccessToken,
     } as unknown as OidcUser;
-    expect(isAccessTokenExpiredOrExpiring(user)).toBe(false);
+    expect(isAccessTokenExpiredOrExpiring(user)).toBe(true);
+  });
+
+  it('should return true if access token is expiring within 30 seconds', () => {
+    const mockExpiringAccessToken = encode({
+      exp: fifteenSecondsLater, // Expires in 15 seconds (within 30-second buffer)
+    }, 'secret');
+
+    const user = {
+      id_token: mockValidIdToken,
+      access_token: mockExpiringAccessToken,
+    } as unknown as OidcUser;
+    expect(isAccessTokenExpiredOrExpiring(user)).toBe(true);
   });
 
-  it('should return true idToken is expired', () => {
+  it('should return true if access token is valid but id token is expired', () => {
     const user = {
       id_token: mockExpiredIdToken,
-      expired: false,
+      access_token: mockFreshAccessToken,
+    } as unknown as OidcUser;
+    expect(isAccessTokenExpiredOrExpiring(user)).toBe(true);
+  });
+
+  it('should return false if both tokens are valid and not expiring', () => {
+    const user = {
+      id_token: mockValidIdToken,
+      access_token: mockFreshAccessToken,
+    } as unknown as OidcUser;
+    expect(isAccessTokenExpiredOrExpiring(user)).toBe(false);
+  });
+
+  it('should return true if access token is malformed', () => {
+    const user = {
+      id_token: mockValidIdToken,
+      access_token: 'invalid-jwt-token',
+    } as unknown as OidcUser;
+    expect(isAccessTokenExpiredOrExpiring(user)).toBe(true);
+  });
+
+  it('should return true if access token has no exp claim (security vulnerability)', () => {
+    const accessTokenWithoutExp = encode({
+      iat: now,
+      sub: 'user123',
+    }, 'secret');
+
+    const user = {
+      id_token: mockValidIdToken,
+      access_token: accessTokenWithoutExp,
     } as unknown as OidcUser;
     expect(isAccessTokenExpiredOrExpiring(user)).toBe(true);
   });
diff --git a/packages/passport/sdk/src/utils/token.ts b/packages/passport/sdk/src/utils/token.ts
@@ -2,7 +2,7 @@ import jwt_decode from 'jwt-decode';
 import {
   User as OidcUser,
 } from 'oidc-client-ts';
-import { IdTokenPayload } from '../types';
+import { IdTokenPayload, TokenPayload } from '../types';
 
 export function isIdTokenExpired(idToken: string | undefined): boolean {
   if (!idToken) {
@@ -15,18 +15,29 @@ export function isIdTokenExpired(idToken: string | undefined): boolean {
 }
 
 export function isAccessTokenExpiredOrExpiring(oidcUser: OidcUser): boolean {
-  const { id_token: idToken, expired, expires_in } = oidcUser;
-  if (expired) {
-    return true;
-  }
+  const { id_token: idToken, access_token: accessToken } = oidcUser;
 
-  // if token will expire in 30 seconds or less, return true
-  if (expires_in && expires_in <= 30) {
+  // Handle missing tokens - assume they need to login again
+  if (!accessToken || !idToken) {
     return true;
   }
 
-  // Handle missing idToken - assume they need to login again
-  if (!idToken) {
+  // Decode the access token to check its expiration
+  try {
+    const decodedAccessToken = jwt_decode<TokenPayload>(accessToken);
+    const now = Math.floor(Date.now() / 1000);
+
+    // Access tokens without expiration claims are invalid (security vulnerability)
+    if (!decodedAccessToken.exp) {
+      return true;
+    }
+
+    // Check if access token is expired or expiring in 30 seconds or less
+    if (decodedAccessToken.exp <= now + 30) {
+      return true;
+    }
+  } catch (error) {
+    // If we can't decode the access token, assume it's invalid
     return true;
   }
 
