Refresh access tokens before expiry

CHANGELOG.md

@@ -13,6 +13,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [v4.2.1]
+
+### Fixed
+
+- Refresh access tokens before expiry (#89)
+
 ## [v4.2.0]
 
 ### Added
@@ -154,7 +160,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - rails model concern to allow host app to add auth behaviour to a model
 - callback, logout and failure routes to handle auth
 
-[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.2.0...HEAD
+[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.2.1...HEAD
+[v4.2.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.1
 [v4.2.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.0
 [v4.1.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.1
 [v4.1.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.0

gemfiles/rails_6.1.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

gemfiles/rails_7.0.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

gemfiles/rails_7.1.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

gemfiles/rails_7.2.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.2.0)
+    rpi_auth (4.2.1)
       oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)

lib/rpi_auth/controllers/auto_refreshing_token.rb

@@ -5,6 +5,8 @@
 module RpiAuth
   module Controllers
     module AutoRefreshingToken
+      REFRESH_WINDOW_IN_SECONDS = 60
+
       extend ActiveSupport::Concern
 
       include CurrentUser
@@ -18,7 +20,7 @@ module AutoRefreshingToken
       def refresh_credentials_if_needed
         return unless current_user
 
-        return if Time.now.to_i < current_user.expires_at
+        return if Time.now.to_i + REFRESH_WINDOW_IN_SECONDS <= current_user.expires_at
 
         current_user.refresh_credentials!
         self.current_user = current_user

lib/rpi_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RpiAuth
-  VERSION = '4.2.0'
+  VERSION = '4.2.1'
 end

spec/dummy/spec/requests/refresh_credentials_spec.rb

@@ -63,15 +63,15 @@
       log_in(user:)
     end
 
-    context 'when the access token has not expired' do
-      let(:expires_at) { 10.seconds.from_now }
+    context 'when the access token is valid for at least another 60 seconds' do
+      let(:expires_at) { 60.seconds.from_now }
 
       it_behaves_like 'the user is logged in'
       it_behaves_like 'there is no attempt to renew the token'
     end
 
-    context 'when the access token has expired' do
-      let(:expires_at) { 10.seconds.ago }
+    context 'when the access token expires in the next 60 seconds' do
+      let(:expires_at) { 59.seconds.from_now }
 
       before do
         allow(stub_oauth_client).to receive(:refresh_credentials).with(any_args).and_return({ access_token: 'foo',