Fix refresh token behavior on EXPIRY_MARGIN (#122)

The previous behavior was resulting in the library using an expired
token for a few minutes (for as long as EXPIRY_MARGIN_IN_MINUTES to be
precise), and that is because we had the following timeline:
- now-5min  = 2022-12-23T09:57:00Z
- now       = 2022-12-23T10:02:00Z
- expiresAt = 2022-12-23T10:05:00Z
- now+5min  = 2022-12-23T10:07:00Z

So checking if expiresAt is before now-5min returns true until
now = 2022-12-23T10:09:59Z, which means the calls will fail without the
token being refreshed until that point.

Author: paulojean

src/main/java/com/spotify/github/v3/clients/GitHubClient.java

@@ -701,8 +701,8 @@ private String getInstallationToken(final String jwtToken, final int installatio
   }
 
   private boolean isExpired(final AccessToken token) {
-    // Subtract a few minutes to avoid making calls with an expired token due to clock differences
-    return token.expiresAt().isBefore(ZonedDateTime.now().minusMinutes(EXPIRY_MARGIN_IN_MINUTES));
+    // Adds a few minutes to avoid making calls with an expired token due to clock differences
+    return token.expiresAt().isBefore(ZonedDateTime.now().plusMinutes(EXPIRY_MARGIN_IN_MINUTES));
   }
 
   private AccessToken generateInstallationToken(final String jwtToken, final int installationId)

src/test/java/com/spotify/github/v3/clients/GitHubAuthTest.java

@@ -70,6 +70,13 @@ public class GitHubAuthTest {
                   .toJson(
                       ImmutableAccessToken.copyOf(getTestInstallationToken())
                           .withExpiresAt(ZonedDateTime.now().minusHours(2))));
+  private final MockResponse expiredTokenWithinExpiryMarginResponse =
+      new MockResponse()
+          .setBody(
+              Json.create()
+                  .toJson(
+                      ImmutableAccessToken.copyOf(getTestInstallationToken())
+                          .withExpiresAt(ZonedDateTime.now().minusMinutes(3))));
   private final MockResponse checkRunResponse =
       new MockResponse().setBody(loadResource("com/spotify/github/v3/checks/checks-run-completed-response.json"));
 
@@ -149,6 +156,25 @@ public void fetchesANewInstallationTokenIfExpired() throws Exception {
     assertThat(mockServer.takeRequest().getPath(), is("/repos/foo/bar/check-runs/123"));
   }
 
+  @Test
+  public void fetchesANewInstallationTokenIfExpirationIsWithinExpiryMargin() throws Exception {
+    mockServer.enqueue(expiredTokenWithinExpiryMarginResponse);
+    mockServer.enqueue(checkRunResponse);
+    mockServer.enqueue(validTokenResponse);
+    mockServer.enqueue(checkRunResponse);
+
+    checksClient.getCheckRun(123).join();
+    checksClient.getCheckRun(123).join();
+
+    // 2 to get the token, 2 checks
+    assertThat(mockServer.getRequestCount(), is(4));
+
+    assertThat(mockServer.takeRequest().getPath(), is("/app/installations/1/access_tokens"));
+    assertThat(mockServer.takeRequest().getPath(), is("/repos/foo/bar/check-runs/123"));
+    assertThat(mockServer.takeRequest().getPath(), is("/app/installations/1/access_tokens"));
+    assertThat(mockServer.takeRequest().getPath(), is("/repos/foo/bar/check-runs/123"));
+  }
+
   @Test
   public void throwsIfFetchingInstallationTokenRequestIsUnsuccessful() throws Exception {
     mockServer.enqueue(new MockResponse().setResponseCode(500));