feat: provide better error message for expired refresh token

ctron · ctron · commit 245b530c881f · 2025-07-22T13:18:05.000+02:00
diff --git a/src/cmd/list.rs b/src/cmd/list.rs
@@ -53,7 +53,7 @@ impl List {
             }
 
             if let Some(state) = &client.state {
-                let access = self.token::<_, AccessTokenClaims>(&state.access_token, |token| {
+                let access = Self::token::<_, AccessTokenClaims>(&state.access_token, |token| {
                     self.expiration(
                         token
                             .exp
@@ -67,7 +67,7 @@ impl List {
                     .refresh_token
                     .as_ref()
                     .map(|refresh| {
-                        self.token::<_, RefreshTokenClaims>(refresh, |token| {
+                        Self::token::<_, RefreshTokenClaims>(refresh, |token| {
                             self.expiration(
                                 token
                                     .exp
@@ -91,7 +91,7 @@ impl List {
     /// Decode a token and call the function to extract cell information
     ///
     /// NOTE: The token is not being verified.
-    fn token<F, T>(&self, token: &str, f: F) -> Cell
+    fn token<F, T>(token: &str, f: F) -> Cell
     where
         F: FnOnce(T) -> Cell,
         T: CompactJson,
diff --git a/src/oidc.rs b/src/oidc.rs
@@ -1,9 +1,11 @@
 use crate::{
+    claims::RefreshTokenClaims,
     config::{Client, ClientState, ClientType},
     http::{HttpOptions, create_client},
     utils::OrNone,
 };
 use anyhow::{anyhow, bail};
+use biscuit::{Empty, jws::Compact};
 use oauth2::RefreshToken;
 use openidconnect::{
     ClientId, ClientSecret, IssuerUrl, Scope,
@@ -18,6 +20,8 @@ pub enum TokenResult {
 
 /// Fetch a new token
 pub async fn fetch_token(config: &Client, http: &HttpOptions) -> anyhow::Result<TokenResult> {
+    log::debug!("Fetching new token");
+
     let http = create_client(http).await?;
 
     match &config.r#type {
@@ -61,14 +65,29 @@ pub async fn fetch_token(config: &Client, http: &HttpOptions) -> anyhow::Result<
             )
             .await?;
 
+            let refresh_token = state.refresh_token.clone().ok_or_else(|| anyhow!("Expired token of a public client, without having a refresh token. You will need to re-login."))?;
+
+            if let Ok(token) = Compact::<RefreshTokenClaims, Empty>::new_encoded(&refresh_token)
+                .unverified_payload()
+            {
+                log::debug!("refresh token expiration: {:?}", token.exp);
+
+                if let Some(exp) = token
+                    .exp
+                    .and_then(|exp| OffsetDateTime::from_unix_timestamp(exp).ok())
+                {
+                    if exp < OffsetDateTime::now_utc() {
+                        bail!("Refresh token expired. You need to re-login.");
+                    }
+                }
+            }
+
             let client = CoreClient::from_provider_metadata(
                 provider_metadata,
                 ClientId::new(client_id.clone()),
                 client_secret.clone().map(ClientSecret::new),
             );
 
-            let refresh_token= state.refresh_token.clone().ok_or_else(|| anyhow!("Expired token of a public client, without having a refresh token. You will need to re-login."))?;
-
             let token = client
                 .exchange_refresh_token(&RefreshToken::new(refresh_token))?
                 .add_scopes(extra_scopes(config.scope.as_deref()))
