Refresh access tokens before expiry

chrisroos · chrisroos · commit 4fc74a445f92 · 2025-07-17T09:29:10.000+01:00
We've seen a small number of exceptions in Experience CS[1] which are caused by a 401 response from Editor API. I'm fairly confident these are occurring when the access token used to make the request to Editor API has expired. My hypothesis is that the token is valid at the time the request comes into Experience CS (and therefore the auto refresh behaviour isn't triggered) but is invalid by the time we make the request to Editor API. This change reduces the risk of this happening by refreshing the token if it expires in the next 60 seconds. [1]: https://github.com/RaspberryPiFoundation/experience-cs/issues/914
diff --git a/lib/rpi_auth/controllers/auto_refreshing_token.rb b/lib/rpi_auth/controllers/auto_refreshing_token.rb
@@ -5,6 +5,8 @@
 module RpiAuth
   module Controllers
     module AutoRefreshingToken
+      REFRESH_WINDOW_IN_SECONDS = 60
+
       extend ActiveSupport::Concern
 
       include CurrentUser
@@ -18,7 +20,7 @@ module AutoRefreshingToken
       def refresh_credentials_if_needed
         return unless current_user
 
-        return if Time.now.to_i < current_user.expires_at
+        return if Time.now.to_i + REFRESH_WINDOW_IN_SECONDS <= current_user.expires_at
 
         current_user.refresh_credentials!
         self.current_user = current_user
diff --git a/spec/dummy/spec/requests/refresh_credentials_spec.rb b/spec/dummy/spec/requests/refresh_credentials_spec.rb
@@ -63,15 +63,15 @@
       log_in(user:)
     end
 
-    context 'when the access token has not expired' do
-      let(:expires_at) { 10.seconds.from_now }
+    context 'when the access token is valid for at least another 60 seconds' do
+      let(:expires_at) { 60.seconds.from_now }
 
       it_behaves_like 'the user is logged in'
       it_behaves_like 'there is no attempt to renew the token'
     end
 
-    context 'when the access token has expired' do
-      let(:expires_at) { 10.seconds.ago }
+    context 'when the access token expires in the next 60 seconds' do
+      let(:expires_at) { 59.seconds.from_now }
 
       before do
         allow(stub_oauth_client).to receive(:refresh_credentials).with(any_args).and_return({ access_token: 'foo',
