fix(oauth): correctly expire cached token (#164)

fixes #163

Author: jwulf

package-lock.json

@@ -93,13 +93,13 @@
 	"devDependencies": {
 		"@commitlint/cli": "^18.4.3",
 		"@commitlint/config-conventional": "^18.4.3",
-		"@mokuteki/jwt": "^1.0.2",
 		"@semantic-release/changelog": "^6.0.3",
 		"@semantic-release/git": "^10.0.1",
 		"@sitapati/testcontainers": "^2.8.1",
 		"@types/debug": "^4.1.12",
 		"@types/express": "^4.17.21",
 		"@types/jest": "^29.5.11",
+		"@types/jsonwebtoken": "^9.0.6",
 		"@types/lodash.mergewith": "^4.6.9",
 		"@types/node": "^20.9.4",
 		"@types/node-fetch": "^2.6.11",
@@ -118,6 +118,7 @@
 		"grpc-tools": "^1.12.4",
 		"husky": "^8.0.3",
 		"jest": "^29.7.0",
+		"jsonwebtoken": "^9.0.2",
 		"lint-staged": "^15.2.0",
 		"prettier": "^3.1.1",
 		"semantic-release": "^22.0.12",

package.json

@@ -18,13 +18,14 @@ test('createClient', async () => {
 	const c = new AdminApiClient()
 	const clusters = await c.getClusters()
 	const clusterUuid = clusters[0].uuid
-	c.getClient(clusterUuid, 'testors')
+	const clientName = 'test_generated-delete-me'
+	c.getClient(clusterUuid, clientName)
 		.then((res) => c.deleteClient(clusterUuid, res.ZEEBE_CLIENT_ID))
 		.catch((e) => e)
 
 	const res = await c.createClient({
 		clusterUuid,
-		clientName: 'testors',
+		clientName,
 		permissions: ['Zeebe'],
 	})
 	const client = await c.getClient(clusterUuid, res.clientId)

src/__tests__/admin/admin.integration.spec.ts

@@ -353,7 +353,8 @@ export class OAuthProvider implements IOAuthProvider {
 		const key = this.getCacheKey(audience)
 		try {
 			const decoded = jwtDecode(token.access_token)
-
+			trace(`Caching token: ${JSON.stringify(decoded, null, 2)}`)
+			trace(`Caching token for ${audience} in memory. Expiry: ${decoded.exp}`)
 			token.expiry = decoded.exp ?? 0
 			this.tokenCache[key] = token
 		} catch (e) {
@@ -371,9 +372,11 @@ export class OAuthProvider implements IOAuthProvider {
 		const tokenFileName = this.getCachedTokenFileName(clientId, audience)
 		const tokenCachedInFile = fs.existsSync(tokenFileName)
 		if (!tokenCachedInFile) {
+			trace(`No file cached token for ${audience} found`)
 			return null
 		}
 		try {
+			trace(`Reading file cached token for ${audience}`)
 			token = JSON.parse(
 				fs.readFileSync(this.getCachedTokenFileName(clientId, audience), 'utf8')
 			)
@@ -422,10 +425,19 @@ export class OAuthProvider implements IOAuthProvider {
 	private isExpired(token: Token) {
 		const d = new Date()
 		const currentTime = d.setSeconds(d.getSeconds())
+
+		// token.expiry is seconds since Unix Epoch
+		// The Date constructor expects milliseconds since Unix Epoch
+		const tokenExpiryMs = token.expiry * 1000
+
+		trace(`Checking token expiry for ${token.audience}`)
+		trace(`  Current time: ${currentTime}`)
+		trace(`  Token expiry: ${tokenExpiryMs}`)
+
 		// If the token has 10 seconds (by default) or less left, renew it.
 		// The Identity server token cache is cleared 30 seconds before the token expires, allowing us to renew it
 		// See: https://github.com/camunda/camunda-8-js-sdk/issues/125
-		const tokenIsExpired = currentTime >= token.expiry - this.refreshWindow
+		const tokenIsExpired = currentTime >= tokenExpiryMs - this.refreshWindow
 		return tokenIsExpired
 	}