Skip to content

fix: derive int_tests token expiry from JWT exp instead of hardcoded 2028 timestamp#205

Merged
mdrakiburrahman merged 5 commits into
mainfrom
copilot/fix-hardcoded-expires-on
May 20, 2026
Merged

fix: derive int_tests token expiry from JWT exp instead of hardcoded 2028 timestamp#205
mdrakiburrahman merged 5 commits into
mainfrom
copilot/fix-hardcoded-expires-on

Conversation

Copilot AI commented May 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Note

Thank you for making change! Please fill this template for your pull request to improve quality of check-in message.

Tip

This repo uses Conventional Commit conventions - please try to rename your PR headline to match it.

Warning

Please ensure to read through this whole set of instructions, specially the Test section.

Why this change is needed

int_tests auth was constructing AccessToken(..., expires_on=1845972874), which marks tokens valid until 2028 and bypasses refresh checks.
Repro is straightforward: any authentication="int_tests" path keeps using the cached token regardless of real token expiry/revocation state.

How

  • Expiry derivation
    • Replaced hardcoded expires_on in get_default_access_token with JWT exp extraction from credentials.accessToken.
  • Safe fallback
    • If token parsing fails or exp is unavailable, fallback sets expires_on to current time to force immediate refresh behavior instead of fake long-lived validity.
  • Observability + guardrails
    • Added debug logging for parse failures without logging exception/token details.
  • Unit coverage
    • Added focused tests for:
      • JWT exp -> AccessToken.expires_on
      • non-JWT token -> immediate-refresh fallback timestamp
# before
AccessToken(token=credentials.accessToken, expires_on=1845972874)

# after
derived_expiry = _extract_expiry_from_jwt(credentials.accessToken)
expires_on = derived_expiry or int(time.time())
AccessToken(token=credentials.accessToken, expires_on=expires_on)

Test

Important: Non-Microsoft Employee contributors

If you are not a Microsoft employee with a foo@microsoft.com email, you will not be able to run CI as it runs in the @microsoft.com Fabric Tenant where you do not have access.

In order for your PR to be considered for review, you must attach a clear screenshot of the output of you running the following command successfully:

npx nx run dbt-fabricspark:test --output-style=stream

Here's an example of a successful run:

A successful CI run locally

⚠️ Delete the above image and attach your own screenshot

To keep the quality of the repo high, if you do not attach a screenshot of successful local testing, your PR will be promptly closed.

Microsoft Employee contributors

Your PR will be subjected to full regression suite via GitHub Action.
It's highly recommended to run the tests locally so your contributions are promptly merged rather than failing in CI.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 1.0.0.127.in-addr.arpa
    • Triggering command: /opt/mssql/bin/sqlservr (dns block)
  • api.fabric.microsoft.com
    • Triggering command: /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/.venv/bin/pytest pytest tests/unit -vv (dns block)
    • Triggering command: /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/.venv/bin/pytest pytest tests/unit -vv --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/moby/5d4636370486d929598a19908904e2a5257e22552a8a14ddb5b3e335fa47b88b/3b9b6c4050fc5a929033de7025d0c4b91f16eb0b70e20253669e4caec98ddbt-fabricspark:test:unit 5d4636370486d929598a19908904e2a5257e22552a8a14ddb5b3e335fa47b88b in/node gpg.program 929598a19908904e-c (dns block)
    • Triggering command: /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/.venv/bin/pytest pytest tests/unit -vv af1f51efec061f4784acc12d927ca0a8365f034367691246/var/run/docker/runtime-runc/moby 71c1�� 3" -C -Q "SELECT 1" || exit 1 (dns block)
  • metadata.google.internal
    • Triggering command: /opt/mssql/bin/sqlservr (dns block)
  • settings-win.data.microsoft.com
    • Triggering command: /opt/mssql/bin/sqlservr (dns block)
  • vortex.data.microsoft.com
    • Triggering command: /opt/mssql/bin/sqlservr (dns block)
  • www.google-analytics.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/node_modules/.bin/nx run dbt-fabricspark:lint (dns block)
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/node_modules/nx/src/project-graph/plugins/isolation/plugin-worker /tmp/plugin5889-2-330.024769.sock /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/node_modules/nx/src/plugins/project-json/build-nodes/project-json (dns block)
    • Triggering command: /opt/hostedtoolcache/node/24.14.1/x64/bin/node /opt/hostedtoolcache/node/24.14.1/x64/bin/node /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/node_modules/nx/src/project-graph/plugins/isolation/plugin-worker /tmp/plugin5889-0-323.033599.sock /home/REDACTED/work/dbt-fabricspark/dbt-fabricspark/node_modules/nx/src/plugins/js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue May 19, 2026 that may be closed by this pull request
Hardcoded expires_on = 1845972874 (year 2028) in int_tests auth path bypasses all token refresh #192
Closed
Copilot AI and others added 4 commits May 20, 2026 00:05
@mdrakiburrahman
fix: derive int_tests token expiry from JWT exp claim
c17ebd4 
Agent-Logs-Url: https://github.com/microsoft/dbt-fabricspark/sessions/69f12454-e70a-4fa5-8deb-22257df2ad15

Co-authored-by: mdrakiburrahman <46581776+mdrakiburrahman@users.noreply.github.com>
@mdrakiburrahman
chore: log jwt expiry parse failures at debug level
2f0496d 
Agent-Logs-Url: https://github.com/microsoft/dbt-fabricspark/sessions/69f12454-e70a-4fa5-8deb-22257df2ad15

Co-authored-by: mdrakiburrahman <46581776+mdrakiburrahman@users.noreply.github.com>
@mdrakiburrahman
fix: narrow jwt expiry parsing exception handling
a2858df 
Agent-Logs-Url: https://github.com/microsoft/dbt-fabricspark/sessions/69f12454-e70a-4fa5-8deb-22257df2ad15

Co-authored-by: mdrakiburrahman <46581776+mdrakiburrahman@users.noreply.github.com>
@mdrakiburrahman
fix: avoid logging jwt parse exception details
a2de94e 
Agent-Logs-Url: https://github.com/microsoft/dbt-fabricspark/sessions/69f12454-e70a-4fa5-8deb-22257df2ad15

Co-authored-by: mdrakiburrahman <46581776+mdrakiburrahman@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix hardcoded expires_on timestamp in int_tests auth path fix: derive int_tests token expiry from JWT exp instead of hardcoded 2028 timestamp May 20, 2026
Copilot AI requested a review from mdrakiburrahman May 20, 2026 00:08
@mdrakiburrahman mdrakiburrahman marked this pull request as ready for review May 20, 2026 01:29
@mdrakiburrahman mdrakiburrahman merged commit 4c82df1 into main May 20, 2026
2 checks passed
@mdrakiburrahman mdrakiburrahman deleted the copilot/fix-hardcoded-expires-on branch May 20, 2026 01:30
@mdrakiburrahman mdrakiburrahman mentioned this pull request May 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mdrakiburrahman mdrakiburrahman mdrakiburrahman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mdrakiburrahman mdrakiburrahman

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Hardcoded expires_on = 1845972874 (year 2028) in int_tests auth path bypasses all token refresh

2 participants

@mdrakiburrahman