From a3fb8e80b3ac8b7e6ae6df5d9eb96c4b5f21c58f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Mart=C3=AD?= Date: Tue, 1 Oct 2024 11:32:26 +0200 Subject: [PATCH] cmd/cue: truncate expiry timestamps to seconds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OAuth2 measures expiry in seconds via the expires_in JSON wire format field, so any sub-second units add unnecessary verbosity. For example, this swaps UTC timestamps such as "expiry": "2024-10-01T10:27:51.579344983Z" for much shorter timestamps such as "expiry": "2024-10-01T10:30:57Z" If an access token is obtained at 10:30:59.95, nearly at 10:31, and the server tells the client that the token expires in 24h, this does mean we would refresh the token up to one second sooner. Given that the expiry time is measured in seconds, that the wire format tells the client the expiry in seconds relative to the current time which is already not a fixed point, and that expiry times in practice are measured in entire hours or days, this seems fine. Moreover, renewing an access token slightly too soon is not harmful. Signed-off-by: Daniel Martí Change-Id: I73ef6451de091eb1878a54eebda9b15da1234a6f Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1202037 Reviewed-by: Roger Peppe TryBot-Result: CUEcueckoo Unity-Result: CUE porcuepine --- cmd/cue/cmd/login.go | 5 ++++- cmd/cue/cmd/testdata/script/login_immediate.txtar | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cmd/cue/cmd/login.go b/cmd/cue/cmd/login.go index 2d0a52903fb..1a8674bb451 100644 --- a/cmd/cue/cmd/login.go +++ b/cmd/cue/cmd/login.go @@ -19,6 +19,7 @@ import ( "fmt" "net/http" "os" + "time" "github.com/spf13/cobra" "golang.org/x/oauth2" @@ -99,9 +100,11 @@ inside $CUE_CONFIG_DIR; see 'cue help environment'. // For consistency, store timestamps in UTC. tok.Expiry = tok.Expiry.UTC() + // OAuth2 measures expiry in seconds via the expires_in JSON wire format field, + // so any sub-second units add unnecessary verbosity. + tok.Expiry = tok.Expiry.Truncate(time.Second) _, err = cueconfig.UpdateRegistryLogin(loginsPath, host.Name, tok) - if err != nil { return fmt.Errorf("cannot store CUE registry logins: %v", err) } diff --git a/cmd/cue/cmd/testdata/script/login_immediate.txtar b/cmd/cue/cmd/testdata/script/login_immediate.txtar index 170fd376f50..f32caade652 100644 --- a/cmd/cue/cmd/testdata/script/login_immediate.txtar +++ b/cmd/cue/cmd/testdata/script/login_immediate.txtar @@ -14,7 +14,7 @@ grep -count=1 '"access_token"' cueconfig/logins.json # Ensure the contents of the token look correct. grep -count=1 '"access_token": "secret-access-token"' cueconfig/logins.json grep -count=1 '"token_type": "Bearer"' cueconfig/logins.json -# Timestamps are always stored in UTC. -grep '"expiry": "20..-..-..T.*Z"' cueconfig/logins.json +# Timestamps are always stored in UTC and truncated to seconds. +grep '"expiry": "20..-..-..T..:..:..Z"' cueconfig/logins.json # oauthregistry does not give a refresh token, and we use encoding/json's omitempty. ! grep '"refresh_token"' cueconfig/logins.json