Make access token expiry check more reliable

* Start the clock just _before_ the access token exchange occurs, otherwise the client will incorrectly add the delay between the server sending the token and the client receiving it to the expiry timestamp. * Use performance.now() instead of Date.now() so that expiry checks are not affected by system clock changes. performance.now() is supported on IE >= 10 and all modern browsers.

Make access token expiry check more reliable
* Start the clock just _before_ the access token exchange occurs, otherwise the client will incorrectly add the delay between the server sending the token and the client receiving it to the expiry timestamp. * Use performance.now() instead of Date.now() so that expiry checks are not affected by system clock changes. performance.now() is supported on IE >= 10 and all modern browsers.
cf7c778b · Robert Knight · eec82fc7 · cf7c778b · cf7c778b
Commit cf7c778b authored Jan 26, 2017 by Robert Knight
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 6 deletions

oauth-auth.js src/sidebar/oauth-auth.js +5 -2

oauth-auth-test.js src/sidebar/test/oauth-auth-test.js +6 -4

No files found.
--- a/src/sidebar/oauth-auth.js
+++ b/src/sidebar/oauth-auth.js
@@ -41,13 +41,16 @@ function auth($http, settings) {
  }

  function tokenGetter() {
-    if (cachedToken && cachedToken.expiresAt > Date.now()) {
+    // performance.now() is used instead of Date.now() because it is
+    // monotonically increasing.
+    if (cachedToken && cachedToken.expiresAt > performance.now()) {
      return Promise.resolve(cachedToken.token);
    } else if (grantToken) {
+      var refreshStart = performance.now();
      return exchangeToken(grantToken).then(function (tokenInfo) {
        cachedToken = {
          token: tokenInfo.access_token,
-          expiresAt: Date.now() + tokenInfo.expires_in * 1000,
+          expiresAt: refreshStart + tokenInfo.expires_in * 1000,
        };
        return cachedToken.token;
      });

--- a/src/sidebar/test/oauth-auth-test.js
+++ b/src/sidebar/test/oauth-auth-test.js
@@ -7,12 +7,13 @@ var DEFAULT_TOKEN_EXPIRES_IN_SECS = 1000;
 describe('oauth auth', function () {

  var auth;
-  var clock;
+  var nowStub;
  var fakeHttp;
  var fakeSettings;

  beforeEach(function () {
-    clock = sinon.useFakeTimers();
+    nowStub = sinon.stub(window.performance, 'now');
+    nowStub.returns(300);

    fakeHttp = {
      post: sinon.stub().returns(Promise.resolve({
@@ -36,7 +37,7 @@ describe('oauth auth', function () {
  });

  afterEach(function () {
-    clock.restore();
+    performance.now.restore();
  });

  describe('#tokenGetter', function () {
@@ -74,7 +75,8 @@ describe('oauth auth', function () {

    it('should refresh the access token if it has expired', function () {
      return auth.tokenGetter().then(function () {
-        clock.tick(DEFAULT_TOKEN_EXPIRES_IN_SECS * 1000 + 100);
+        var now = performance.now();
+        nowStub.returns(now + DEFAULT_TOKEN_EXPIRES_IN_SECS * 1000 + 100);
        fakeHttp.post.returns(Promise.resolve({
          status: 200,
          data: {