Revert "fix: always attempt external auth refresh when fetching (#11762)"

This reverts commit 0befc0826a.
2025-07-03 16:13:58 +00:00 · 2024-01-25 14:22:47 -06:00
parent 0befc0826a
commit 79568bf628
6 changed files with 80 additions and 129 deletions
--- a/coderd/externalauth/externalauth.go
+++ b/coderd/externalauth/externalauth.go
@ -138,7 +138,7 @@ func (c *Config) RefreshToken(ctx context.Context, db database.Store, externalAu
 	retryCtx, retryCtxCancel := context.WithTimeout(ctx, time.Second)
 	defer retryCtxCancel()
 validate:
-	valid, _, err := c.ValidateToken(ctx, token)
+	valid, _, err := c.ValidateToken(ctx, token.AccessToken)
 	if err != nil {
 		return externalAuthLink, false, xerrors.Errorf("validate external auth token: %w", err)
 	}
@ -179,14 +179,7 @@ validate:

 // ValidateToken ensures the Git token provided is valid!
 // The user is optionally returned if the provider supports it.
-func (c *Config) ValidateToken(ctx context.Context, link *oauth2.Token) (bool, *codersdk.ExternalAuthUser, error) {
-	if link == nil {
-		return false, nil, xerrors.New("validate external auth token: token is nil")
-	}
-	if !link.Expiry.IsZero() && link.Expiry.Before(dbtime.Now()) {
-		return false, nil, nil
-	}
-
+func (c *Config) ValidateToken(ctx context.Context, token string) (bool, *codersdk.ExternalAuthUser, error) {
 	if c.ValidateURL == "" {
 		// Default that the token is valid if no validation URL is provided.
 		return true, nil, nil
@ -196,7 +189,7 @@ func (c *Config) ValidateToken(ctx context.Context, link *oauth2.Token) (bool, *
 		return false, nil, err
 	}

-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", link.AccessToken))
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
 	res, err := c.InstrumentedOAuth2Config.Do(ctx, promoauth.SourceValidateToken, req)
 	if err != nil {
 		return false, nil, err
@ -403,15 +396,10 @@ func (c *DeviceAuth) ExchangeDeviceCode(ctx context.Context, deviceCode string)
 	if body.Error != "" {
 		return nil, xerrors.New(body.Error)
 	}
-	// If expiresIn is 0, then the token never expires.
-	expires := dbtime.Now().Add(time.Duration(body.ExpiresIn) * time.Second)
-	if body.ExpiresIn == 0 {
-		expires = time.Time{}
-	}
 	return &oauth2.Token{
 		AccessToken:  body.AccessToken,
 		RefreshToken: body.RefreshToken,
-		Expiry:       expires,
+		Expiry:       dbtime.Now().Add(time.Duration(body.ExpiresIn) * time.Second),
 	}, nil
 }