[PR #506] [MERGED] Fall back to JWT exp claim when OAuth token response has no expires_in #3355

Closed
opened 2026-07-15 02:03:12 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/mountain-loop/yaak/pull/506
Author: @gschier
Created: 7/14/2026
Status: Merged
Merged: 7/14/2026
Merged by: @gschier

Base: mainHead: oauth-jwt-expiry


📝 Commits (3)

  • 1b1bfe4 Fall back to JWT exp claim when OAuth token response has no expires_in
  • e1a7dc5 Check the expiry of the token used as the credential
  • a967200 Thread tokenName into remaining storeToken calls

📊 Changes

6 files changed (+96 additions, -9 deletions)

View changed files

📝 plugins/auth-oauth2/src/getOrRefreshAccessToken.ts (+4 -2)
📝 plugins/auth-oauth2/src/grants/authorizationCode.ts (+1 -0)
📝 plugins/auth-oauth2/src/grants/implicit.ts (+3 -3)
📝 plugins/auth-oauth2/src/store.ts (+5 -1)
📝 plugins/auth-oauth2/src/util.ts (+29 -2)
📝 plugins/auth-oauth2/tests/util.test.ts (+54 -1)

📄 Description

Reported in https://yaak.app/feedback/posts/token-not-refreshed-using-oauth2 (comment from 2026-07-10): a provider returned a token response with no expires_in, so the token was stored with expiresAt: null and treated as never expiring — an expired JWT got resent forever.

Now isTokenExpired falls back to decoding the JWT's exp claim when expiresAt is null (which also rescues already-stuck tokens in existing installs), and storeToken computes expiresAt from the JWT when expires_in is missing. Once expired with no refresh token, the normal flow re-authorizes and overwrites the stored token. Opaque (non-JWT) tokens behave as before.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/mountain-loop/yaak/pull/506 **Author:** [@gschier](https://github.com/gschier) **Created:** 7/14/2026 **Status:** ✅ Merged **Merged:** 7/14/2026 **Merged by:** [@gschier](https://github.com/gschier) **Base:** `main` ← **Head:** `oauth-jwt-expiry` --- ### 📝 Commits (3) - [`1b1bfe4`](https://github.com/mountain-loop/yaak/commit/1b1bfe4df450fe8542f6a9c48491155450bae2a5) Fall back to JWT exp claim when OAuth token response has no expires_in - [`e1a7dc5`](https://github.com/mountain-loop/yaak/commit/e1a7dc598ecfb6e534b938f3907a32066e1a8d2e) Check the expiry of the token used as the credential - [`a967200`](https://github.com/mountain-loop/yaak/commit/a967200ace6d2c23aaad380f5229ffe600f22058) Thread tokenName into remaining storeToken calls ### 📊 Changes **6 files changed** (+96 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `plugins/auth-oauth2/src/getOrRefreshAccessToken.ts` (+4 -2) 📝 `plugins/auth-oauth2/src/grants/authorizationCode.ts` (+1 -0) 📝 `plugins/auth-oauth2/src/grants/implicit.ts` (+3 -3) 📝 `plugins/auth-oauth2/src/store.ts` (+5 -1) 📝 `plugins/auth-oauth2/src/util.ts` (+29 -2) 📝 `plugins/auth-oauth2/tests/util.test.ts` (+54 -1) </details> ### 📄 Description Reported in https://yaak.app/feedback/posts/token-not-refreshed-using-oauth2 (comment from 2026-07-10): a provider returned a token response with no `expires_in`, so the token was stored with `expiresAt: null` and treated as never expiring — an expired JWT got resent forever. Now `isTokenExpired` falls back to decoding the JWT's `exp` claim when `expiresAt` is null (which also rescues already-stuck tokens in existing installs), and `storeToken` computes `expiresAt` from the JWT when `expires_in` is missing. Once expired with no refresh token, the normal flow re-authorizes and overwrites the stored token. Opaque (non-JWT) tokens behave as before. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-07-15 02:03:12 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/yaak#3355