Refresh access tokens before expiry (#89)

We've seen a small number of [exceptions in Experience CS][1] which are
caused by a 401 response from Editor API. I'm fairly confident these are
occurring when the access token used to make the request to Editor API
has expired. My hypothesis is that the token is valid at the time the
request comes into Experience CS (and therefore the auto refresh
behaviour isn't triggered) but is invalid by the time we make the
request to Editor API. This change reduces the risk of this happening by
refreshing the token if it expires in the next 60 seconds.

[1]: https://github.com/RaspberryPiFoundation/experience-cs/issues/914

Author: chrisroos

CHANGELOG.md

@@ -13,6 +13,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [v4.2.1]
+
+### Fixed
+
+- Refresh access tokens before expiry (#89)
+
 ## [v4.2.0]
 
 ### Added
@@ -154,7 +160,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - rails model concern to allow host app to add auth behaviour to a model
 - callback, logout and failure routes to handle auth
 
-[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.2.0...HEAD
+[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.2.1...HEAD
+[v4.2.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.1
 [v4.2.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.0
 [v4.1.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.1
 [v4.1.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.0

gemfiles/rails_6.1.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

gemfiles/rails_7.0.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

gemfiles/rails_7.1.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

gemfiles/rails_7.2.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

lib/rpi_auth/controllers/auto_refreshing_token.rb

@@ -5,6 +5,8 @@
 module RpiAuth
   module Controllers
     module AutoRefreshingToken
+      REFRESH_WINDOW_IN_SECONDS = 60
+
       extend ActiveSupport::Concern
 
       include CurrentUser
@@ -18,7 +20,7 @@ module AutoRefreshingToken
       def refresh_credentials_if_needed
         return unless current_user
 
-        return if Time.now.to_i < current_user.expires_at
+        return if Time.now.to_i + REFRESH_WINDOW_IN_SECONDS <= current_user.expires_at
 
         current_user.refresh_credentials!
         self.current_user = current_user

lib/rpi_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RpiAuth
-  VERSION = '4.2.0'
+  VERSION = '4.2.1'
 end

spec/dummy/spec/requests/refresh_credentials_spec.rb

@@ -63,15 +63,15 @@
       log_in(user:)
     end
 
-    context 'when the access token has not expired' do
-      let(:expires_at) { 10.seconds.from_now }
+    context 'when the access token is valid for at least another 60 seconds' do
+      let(:expires_at) { 60.seconds.from_now }
 
       it_behaves_like 'the user is logged in'
       it_behaves_like 'there is no attempt to renew the token'
     end
 
-    context 'when the access token has expired' do
-      let(:expires_at) { 10.seconds.ago }
+    context 'when the access token expires in the next 60 seconds' do
+      let(:expires_at) { 59.seconds.from_now }
 
       before do
         allow(stub_oauth_client).to receive(:refresh_credentials).with(any_args).and_return({ access_token: 'foo',