Merge pull request #3895 from skoeva/auth6

backend: auth: Extract IsTokenAboutToExpire from headlamp.go

Author: illume

backend/cmd/headlamp.go

@@ -786,30 +786,6 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 	return r
 }
 
-func isTokenAboutToExpire(token string) bool {
-	const tokenParts = 3
-
-	parts := strings.Split(token, ".")
-	if len(parts) != tokenParts {
-		return false
-	}
-
-	payload, err := auth.DecodeBase64JSON(parts[1])
-	if err != nil {
-		logger.Log(logger.LevelError, nil, err, "failed to decode payload")
-		return false
-	}
-
-	expiryUnixTimeUTC, err := auth.GetExpiryUnixTimeUTC(payload)
-	if err != nil {
-		logger.Log(logger.LevelError, nil, err, "failed to get expiry time")
-		return false
-	}
-
-	// This time comparison is timezone aware, so it works correctly
-	return time.Until(expiryUnixTimeUTC) <= JWTExpirationTTL
-}
-
 // configureTLSContext configures TLS settings for the HTTP client in the context.
 // If skipTLSVerify is true, TLS verification will be skipped.
 // If caCert is provided, it will be added to the certificate pool for TLS verification.
@@ -1069,7 +1045,7 @@ func (c *HeadlampConfig) OIDCTokenRefreshMiddleware(next http.Handler) http.Hand
 		}
 
 		// skip if token is not about to expire
-		if !isTokenAboutToExpire(token) {
+		if !auth.IsTokenAboutToExpire(token) {
 			c.telemetryHandler.RecordEvent(span, "Token not about to expire, skipping refresh")
 			next.ServeHTTP(w, r)
 			c.telemetryHandler.RecordDuration(ctx, start,

backend/cmd/headlamp_test.go

@@ -32,7 +32,6 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
-	"strings"
 	"testing"
 	"time"
 
@@ -932,23 +931,6 @@ func TestGetOidcCallbackURL(t *testing.T) {
 	}
 }
 
-func TestIsTokenAboutToExpire(t *testing.T) {
-	// Token that expires in 4 minutes
-	header := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."
-	originalPayload := "eyJleHAiOjE2MTIzNjE2MDB9"
-	signature := ".7vl9iBWGDQdXUTbEsqFHiHoaNWxKn4UwLhO9QDhXrpM"
-
-	token := header + originalPayload + signature
-	result := isTokenAboutToExpire(token)
-	assert.True(t, result)
-
-	modifiedPayload := strings.Replace(originalPayload, "J", "-", 1)
-
-	token = header + modifiedPayload + signature
-	result = isTokenAboutToExpire(token)
-	assert.False(t, result, "Expected to return false when payload decoding fails due to URL-safe characters")
-}
-
 func TestOIDCTokenRefreshMiddleware(t *testing.T) {
 	kubeConfigStore := kubeconfig.NewContextStore()
 	config := &HeadlampConfig{

backend/pkg/auth/auth.go

@@ -36,6 +36,8 @@ const (
 	oidcKeyPrefix = "oidc-token-"
 )
 
+const JWTExpirationTTL = 10 * time.Second // seconds
+
 // DecodeBase64JSON decodes a base64 URL-encoded JSON string into a map.
 func DecodeBase64JSON(base64JSON string) (map[string]interface{}, error) {
 	payloadBytes, err := base64.RawURLEncoding.DecodeString(base64JSON)
@@ -100,6 +102,30 @@ func GetExpiryUnixTimeUTC(tokenPayload map[string]interface{}) (time.Time, error
 	return time.Unix(int64(exp), 0).UTC(), nil
 }
 
+// IsTokenAboutToExpire reports whether the given token is within JWTExpirationTTL
+// of its expiry time.
+func IsTokenAboutToExpire(token string) bool {
+	parts := strings.SplitN(token, ".", 3)
+	if len(parts) != 3 || parts[1] == "" {
+		return false
+	}
+
+	payload, err := DecodeBase64JSON(parts[1])
+	if err != nil {
+		logger.Log(logger.LevelError, nil, err, "failed to decode payload")
+		return false
+	}
+
+	expiryUnixTimeUTC, err := GetExpiryUnixTimeUTC(payload)
+	if err != nil {
+		logger.Log(logger.LevelError, nil, err, "failed to get expiry time")
+		return false
+	}
+
+	// This time comparison is timezone aware, so it works correctly
+	return time.Until(expiryUnixTimeUTC) <= JWTExpirationTTL
+}
+
 // CacheRefreshedToken updates the refresh token in the cache.
 func CacheRefreshedToken(token *oauth2.Token, tokenType string, oldToken string,
 	oldRefreshToken string, cache cache.Cache[interface{}],

backend/pkg/auth/auth_test.go

@@ -18,6 +18,8 @@ package auth_test
 
 import (
 	"context"
+	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"net/http"
 	"reflect"
@@ -283,6 +285,65 @@ func TestGetExpiryUnixTimeUTC(t *testing.T) {
 	}
 }
 
+const headerBase64 = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0"
+
+func makeJWTWithPayload(t *testing.T, payload map[string]interface{}) string {
+	t.Helper()
+
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		t.Fatalf("failed to marshal payload: %v", err)
+	}
+
+	payloadBase64 := base64.RawURLEncoding.EncodeToString(payloadBytes)
+
+	// 3 segments: header.payload.signature (signature)
+	return headerBase64 + "." + payloadBase64 + "."
+}
+
+func TestIsTokenAboutToExpire_Window(t *testing.T) {
+	now := time.Now()
+	tests := []struct {
+		name string
+		exp  time.Time
+		want bool
+	}{
+		{"within window", now.Add(auth.JWTExpirationTTL / 2), true},
+		{"beyond window", now.Add(auth.JWTExpirationTTL + 30*time.Second), false},
+		{"already expired", now.Add(-5 * time.Second), true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			token := makeJWTWithPayload(t, map[string]interface{}{"exp": float64(tt.exp.Unix())})
+			if got := auth.IsTokenAboutToExpire(token); got != tt.want {
+				t.Fatalf("IsTokenAboutToExpire() = %v, want %v (exp=%v, now=%v)",
+					got, tt.want, tt.exp.UTC(), now.UTC())
+			}
+		})
+	}
+}
+
+func TestIsTokenAboutToExpire_InvalidInputs(t *testing.T) {
+	tests := []struct {
+		name  string
+		token string
+	}{
+		{"not three parts", "not-a-jwt"},
+		{"invalid base64 payload", headerBase64 + ".%%%." + "."},
+		{"missing exp", makeJWTWithPayload(t, map[string]interface{}{})},
+		{"non-numeric exp", makeJWTWithPayload(t, map[string]interface{}{"exp": "1609459200"})},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := auth.IsTokenAboutToExpire(tt.token); got {
+				t.Fatalf("IsTokenAboutToExpire() = true, want false for %s", tt.name)
+			}
+		})
+	}
+}
+
 type cacheStub struct{}
 
 func (cacheStub) Delete(ctx context.Context, k string) error {