From 0b5be7b3f0201b9179d31e8f2488b33ba2e203a6 Mon Sep 17 00:00:00 2001
From: Gareth Pelly <gpelly@etsy.com>
Date: Thu, 3 Oct 2024 17:38:38 +0100
Subject: [PATCH] fix(GcpAuthenticator): Handle metadata behaviour change with
 token regen

---
 src/gcp.rs | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/gcp.rs b/src/gcp.rs
index 148fa9dec501a..8638cd40afa1b 100644
--- a/src/gcp.rs
+++ b/src/gcp.rs
@@ -209,8 +209,16 @@ impl GcpAuthenticator {
                         Ok(()) => {
                             sender.send_replace(());
                             let expires_in = inner.token.read().unwrap().expires_in() as u64;
-                            deadline =
-                                Duration::from_secs(expires_in - METADATA_TOKEN_EXPIRY_MARGIN_SECS);
+                            // Rather than an expected fresh token, the Metadata Server may return
+                            // the same (cached) token during the last 300 seconds of its lifetime.
+                            // This scenario is handled by retrying the token refresh after the
+                            // METADATA_TOKEN_ERROR_RETRY_SECS period when a fresh token is expected
+                            if !(expires_in > METADATA_TOKEN_EXPIRY_MARGIN_SECS) {
+                                deadline = Duration::from_secs(METADATA_TOKEN_ERROR_RETRY_SECS);
+                            } else {
+                                deadline =
+                                    Duration::from_secs(expires_in - METADATA_TOKEN_EXPIRY_MARGIN_SECS);
+                            }
                         }
                         Err(error) => {
                             error!(
@@ -314,8 +322,8 @@ mod tests {
                 api_key = "testing"
             "#,
         )
-        .await
-        .expect("build_auth failed");
+            .await
+            .expect("build_auth failed");
         assert!(matches!(auth, GcpAuthenticator::None));
     }