Add OauthClient class

This has been copied as closely as possible from `code-club-frontend`:
- `lib/oauth_client.rb` [1]
- `spec/lib/oauth_client_spec.rb` [2]

Some things that I've changed:
- Moved into the `RpiAuth` namespace.
- Use `RpiAuth.configuration.bypass_auth` instead of reading
  `BYPASS_AUTH` env var directly as per this PR [3]
- Use `RpiAuth.configure` in the `before` block instead of using
  `ClimateControl.modify` in an `around` block. The former is possible,
  because the `RpiAuth` configuration is reset before every example [4].

[1]: https://github.com/RaspberryPiFoundation/code-club-frontend/blob/f7e965798d910584fed0d1eb7867f32a899f9ce8/lib/oauth_client.rb
[2]: https://github.com/RaspberryPiFoundation/code-club-frontend/blob/main/spec/lib/oauth_client_spec.rb
[3]: https://github.com/RaspberryPiFoundation/experience-cs/pull/315
[4]: https://github.com/RaspberryPiFoundation/rpi-auth/blob/e54cc7a30c61cf43874a38c79f1e2f3e2b6d2103/spec/spec_helper.rb#L132-L136

Author: floehopper

lib/rpi_auth/oauth_client.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'oauth2/client'
+require 'oauth2/access_token'
+
+module RpiAuth
+  class OauthClient
+    attr_reader :client
+
+    def initialize
+      @client = OAuth2::Client.new(
+        RpiAuth.configuration.auth_client_id,
+        RpiAuth.configuration.auth_client_secret,
+        site: RpiAuth.configuration.auth_token_url,
+        token_url: RpiAuth.configuration.token_endpoint.path,
+        authorize_url: RpiAuth.configuration.authorization_endpoint.path
+      )
+    end
+
+    def refresh_credentials(**credentials)
+      new_credentials = if RpiAuth.configuration.bypass_auth
+                          credentials.merge(expires_at: 1.hour.from_now)
+                        else
+                          OAuth2::AccessToken.from_hash(client, credentials).refresh.to_hash
+                        end
+
+      {
+        access_token: new_credentials[:access_token],
+        refresh_token: new_credentials[:refresh_token],
+        expires_at: new_credentials[:expires_at].to_i
+      }
+    end
+  end
+end

spec/rpi_auth/oauth_client_spec.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'oauth2'
+
+RSpec.describe RpiAuth::OauthClient do
+  include ActiveSupport::Testing::TimeHelpers
+
+  describe '#refresh_credentials' do
+    subject(:refresh_credentials) { oauth_client.refresh_credentials(**credentials) }
+
+    let(:oauth_client) { described_class.new }
+    let(:credentials) { { access_token: 'foo', refresh_token: 'bar' } }
+    let(:refresh_body) { { token: 'baz', refresh_token: 'quux', expires_in: rand(300..600) } }
+
+    before do
+      RpiAuth.configure do |config|
+        config.bypass_auth = bypass_auth
+        config.auth_url = 'https://auth.com:123/'
+      end
+
+      freeze_time
+    end
+
+    after do
+      unfreeze_time
+    end
+
+    context 'when RpiAuth.configuration.bypass is not set' do
+      let(:bypass_auth) { false }
+
+      before do
+        stub_request(:post, RpiAuth.configuration.token_endpoint)
+          .with(body: { grant_type: 'refresh_token', refresh_token: credentials[:refresh_token] })
+          .to_return(status: 200, body: refresh_body.to_json, headers: { content_type: 'application/json' })
+      end
+
+      it do
+        expect(refresh_credentials).to eq({ access_token: refresh_body[:token],
+                                            refresh_token: refresh_body[:refresh_token],
+                                            expires_at: Time.now.to_i + refresh_body[:expires_in] })
+      end
+    end
+
+    context 'when RpiAuth.configuration.bypass is set' do
+      let(:bypass_auth) { true }
+
+      it { expect(refresh_credentials).to eq credentials.merge(expires_at: 1.hour.from_now.to_i) }
+    end
+  end
+end