Example apps in SPO mode: Use token expiry from API response instead of token parsing (microsoft#25165)

## Description

This PR fixes SPO auth for most example apps. You can run example apps
with SPO via `npm run start:spo`. This addresses the bug
[AB#45538](https://dev.azure.com/fluidframework/internal/_workitems/edit/45538).

Auth was broken because push tokens didn't pass auth token validation,
which in turn broke our token cache, as token validation was used to get
the token expiry time via token parsing. The push token couldn't be
parsed as it's encrypted, see also the internal discussion [in
Teams](https://teams.microsoft.com/l/message/19:53328301da384b33bcc81111124e3ab4@thread.skype/1754343252351?tenantId=72f988bf-86f1-41af-91ab-2d7cd011db47&groupId=422665a0-7ad3-4d0d-9171-e8881d0397d9&parentMessageId=1754343252351&teamName=Loop&channelName=Bugs%20%F0%9F%90%9B&createdTime=1754343252351).

Repro of the bug was to just run `npm run start:spo` with any of the
example apps, after having run `getKeys` to get the right credentials
into your environment variables.

Author: steffenloesch

packages/utils/odsp-doclib-utils/src/odspAuth.ts

@@ -16,6 +16,8 @@ import { unauthPostAsync } from "./odspRequest.js";
 export interface IOdspTokens {
 	readonly accessToken: string;
 	readonly refreshToken: string;
+	readonly receivedAt?: number; // Unix timestamp in seconds
+	readonly expiresIn?: number; // Seconds from reception until the token expires
 }
 
 /**
@@ -191,8 +193,13 @@ export async function fetchTokens(
 			throw error;
 		}
 	}
+
+	const receivedAt = Math.floor(Date.now() / 1000); // Convert milliseconds to seconds
+	// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access
+	const expiresIn = parsedResponse.expires_in ?? 3600; // Default to 1 hour (3600 seconds) if not provided
+
 	// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
-	return { accessToken, refreshToken };
+	return { accessToken, refreshToken, receivedAt, expiresIn };
 }
 
 /**
@@ -241,10 +248,7 @@ export async function refreshTokens(
 		grant_type: "refresh_token",
 		refresh_token,
 	};
-	const newTokens = await fetchTokens(server, scope, clientConfig, credentials);
-
-	// Instead of returning, update the passed in tokens object
-	return { accessToken: newTokens.accessToken, refreshToken: newTokens.refreshToken };
+	return fetchTokens(server, scope, clientConfig, credentials);
 }
 
 const createConfig = (token: string): RequestInit => ({

packages/utils/tool-utils/package.json

@@ -103,7 +103,6 @@
 		"@fluidframework/odsp-doclib-utils": "workspace:~",
 		"async-mutex": "^0.3.1",
 		"debug": "^4.3.4",
-		"jwt-decode": "^4.0.0",
 		"proper-lockfile": "^4.1.2"
 	},
 	"devDependencies": {

packages/utils/tool-utils/src/odspTokenManager.ts

@@ -17,7 +17,6 @@ import {
 	refreshTokens,
 } from "@fluidframework/odsp-doclib-utils/internal";
 import { Mutex } from "async-mutex";
-import { jwtDecode } from "jwt-decode";
 
 import { debug } from "./debug.js";
 import type { IAsyncCache, IResources } from "./fluidToolRc.js";
@@ -66,15 +65,20 @@ export interface IOdspTokenManagerCacheKey {
 	readonly userOrServer: string;
 }
 
-const isValidToken = (token: string): boolean => {
+const isValidAndNotExpiredToken = (tokens: IOdspTokens): boolean => {
 	// Return false for undefined or empty tokens.
-	if (!token || token.length === 0) {
+	if (!tokens.accessToken || tokens.accessToken.length === 0) {
 		return false;
 	}
 
-	const decodedToken = jwtDecode<{ exp: number }>(token);
+	if (tokens.receivedAt === undefined || tokens.expiresIn === undefined) {
+		// If we don't have receivedAt or expiresIn, we treat the token as expired.
+		return false;
+	}
+
+	const expiresAt = tokens.receivedAt + tokens.expiresIn;
 	// Give it a 60s buffer
-	return decodedToken.exp - 60 >= Date.now() / 1000;
+	return expiresAt - 60 >= Date.now() / 1000;
 };
 
 const cacheKeyToString = (key: IOdspTokenManagerCacheKey): string => {
@@ -189,7 +193,7 @@ export class OdspTokenManager {
 			const cacheKey = OdspTokenManager.getCacheKey(isPush, tokenConfig, server);
 			const tokensFromCache = await this.getTokenFromCache(cacheKey);
 			if (tokensFromCache) {
-				if (isValidToken(tokensFromCache.accessToken)) {
+				if (isValidAndNotExpiredToken(tokensFromCache)) {
 					debug(`${cacheKeyToString(cacheKey)}: Token reused from cache `);
 					await this.onTokenRetrievalFromCache(tokenConfig, tokensFromCache);
 					return tokensFromCache;
@@ -219,7 +223,7 @@ export class OdspTokenManager {
 			// check the cache again under the lock (if it is there)
 			const tokensFromCache = await this.getTokenFromCache(cacheKey);
 			if (tokensFromCache) {
-				if (forceRefresh || !isValidToken(tokensFromCache.accessToken)) {
+				if (forceRefresh || !isValidAndNotExpiredToken(tokensFromCache)) {
 					try {
 						// This updates the tokens in tokensFromCache
 						tokens = await refreshTokens(server, scope, clientConfig, tokensFromCache);
@@ -266,6 +270,13 @@ export class OdspTokenManager {
 			}
 		}
 
+		if (!isValidAndNotExpiredToken(tokens)) {
+			throw new Error(
+				`Acquired invalid tokens for ${cacheKeyToString(cacheKey)}. ` +
+					`Acquired token JSON: ${JSON.stringify(tokens)}`,
+			);
+		}
+
 		await this.updateTokensCacheWithoutLock(cacheKey, tokens);
 		return tokens;
 	}