oauth2: expire the tokens 10 seconds earlier

It avoids the late expiration due to the server time mismatch. Change-Id: I126a76cff112fbeb92b71dd036195555b20e637b Reviewed-on: https://go-review.googlesource.com/3307 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2025-07-21 00:00:09 +08:00 · 2015-01-26 10:43:56 -08:00 · 2015-01-26 10:43:56 -08:00 · 2b74ab268d
commit 2b74ab268d
parent d8ba9d6c17
2 changed files with 27 additions and 2 deletions
--- a/token.go
+++ b/token.go
@ -10,6 +10,11 @@ import (
 	"time"
 )

+// expiryDelta determines how earlier a token should be considered
+// expired than its actual expiration time. It is used to avoid late
+// expirations due to client-server time mismatches.
+const expiryDelta = 10 * time.Second
+
 // Token represents the crendentials used to authorize
 // the requests to access protected resources on the OAuth 2.0
 // provider's backend.
@ -90,7 +95,7 @@ func (t *Token) expired() bool {
 	if t.Expiry.IsZero() {
 		return false
 	}
-	return t.Expiry.Before(time.Now())
+	return t.Expiry.Add(-expiryDelta).Before(time.Now())
 }

 // Valid reports whether t is non-nil, has an AccessToken, and is not expired.
--- a/token_test.go
+++ b/token_test.go
@ -4,7 +4,10 @@

 package oauth2

-import "testing"
+import (
+	"testing"
+	"time"
+)

 func TestTokenExtra(t *testing.T) {
 	type testCase struct {
@ -28,3 +31,20 @@ func TestTokenExtra(t *testing.T) {
 		}
 	}
 }
+
+func TestTokenExpiry(t *testing.T) {
+	now := time.Now()
+	cases := []struct {
+		name string
+		tok  *Token
+		want bool
+	}{
+		{name: "12 seconds", tok: &Token{Expiry: now.Add(12 * time.Second)}, want: false},
+		{name: "10 seconds", tok: &Token{Expiry: now.Add(expiryDelta)}, want: true},
+	}
+	for _, tc := range cases {
+		if got, want := tc.tok.expired(), tc.want; got != want {
+			t.Errorf("expired (%q) = %v; want %v", tc.name, got, want)
+		}
+	}
+}