Fix token expiration

ikhimenko · web-flow · commit 8a99c45902dd · 2026-03-13T16:11:18.000+01:00
diff --git a/lib/lara/auth_token.rb b/lib/lara/auth_token.rb
@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require "json"
+require "base64"
+
 module Lara
   # JWT authentication token for API access
   class AuthToken
@@ -8,10 +11,34 @@ class AuthToken
     def initialize(token, refresh_token)
       @token = token
       @refresh_token = refresh_token
+      @expires_at_ms = parse_expires_at_ms(token)
     end
 
     def to_s
       token
     end
+
+    def token_expired?
+      @expires_at_ms <= (Time.now.to_f * 1000).to_i + 5_000 # 5 seconds buffer
+    end
+
+    private
+
+    def parse_expires_at_ms(token)
+      return 0 if token.nil? || token.empty?
+
+      parts = token.split(".")
+      return 0 if parts.length != 3
+
+      b64 = parts[1].tr("-_", "+/")
+      b64 += "=" * (4 - (b64.length % 4)) if b64.length % 4 != 0
+
+      exp = JSON.parse(Base64.decode64(b64))["exp"]
+      return 0 unless exp.is_a?(Numeric)
+
+      (exp * 1000).to_i
+    rescue StandardError
+      0
+    end
   end
 end
diff --git a/lib/lara/client.rb b/lib/lara/client.rb
@@ -7,6 +7,7 @@
 require "base64"
 require "digest"
 require "uri"
+require "monitor"
 
 module Lara
   # This class is used to interact with Lara via the REST API.
@@ -31,7 +32,7 @@ def initialize(auth_method, base_url: DEFAULT_BASE_URL, connection_timeout: nil,
       @connection_timeout = connection_timeout
       @read_timeout = read_timeout
       @extra_headers = {}
-      @auth_mutex = Mutex.new
+      @auth_mutex = Monitor.new
 
       @connection = build_connection
     end
@@ -93,23 +94,37 @@ def request(method, path, body: nil, files: nil, headers: nil, params: nil, raw_
       make_request(method, path, body: body, files: files, headers: headers, params: params,
                    raw_response: raw_response, &callback)
     rescue LaraApiError => e
-      # Auto-refresh token on 401 with jwt expired
-      raise unless e.status_code == 401 && e.message.include?("jwt expired")
+      raise unless e.status_code == 401
 
-      refresh_token
-      # Retry once with new token
+      @auth_mutex.synchronize { refresh_or_reauthenticate }
       make_request(method, path, body: body, files: files, headers: headers, params: params,
                    raw_response: raw_response, &callback)
     end
 
     def ensure_valid_token
       @auth_mutex.synchronize do
-        return if @auth_token
+        return if @auth_token && !@auth_token.token_expired?
 
-        raise LaraError, "No authentication method available" unless @credentials
+        refresh_or_reauthenticate
+      end
+    end
+
+    def refresh_or_reauthenticate
+      if @auth_token&.refresh_token && !@auth_token.refresh_token.empty?
+        begin
+          do_refresh
+          return
+        rescue StandardError
+          raise unless @credentials
+        end
+      end
 
+      if @credentials
         @auth_token = authenticate
+        return
       end
+
+      raise LaraError, "No authentication method available for token renewal"
     end
 
     def authenticate
@@ -143,47 +158,37 @@ def authenticate
       raise LaraApiError.from_response(response) unless response.success?
 
       data = JSON.parse(response.body)
-      refresh_token = response.headers["x-lara-refresh-token"]
+      refresh_token_value = response.headers["x-lara-refresh-token"]
 
-      raise LaraError, "Missing refresh token in authentication response" unless refresh_token
+      raise LaraError, "Missing refresh token in authentication response" unless refresh_token_value
 
-      AuthToken.new(data["token"], refresh_token)
+      AuthToken.new(data["token"], refresh_token_value)
     end
 
-    def refresh_token
-      @auth_mutex.synchronize do
-        return unless @auth_token
+    def do_refresh
+      raise LaraError, "No refresh token available" unless @auth_token&.refresh_token
 
-        conn = Faraday.new(url: @base_url) do |c|
-          c.adapter Faraday.default_adapter
-        end
-
-        response = conn.post("/v2/auth/refresh") do |req|
-          req.headers = {
-            "Date" => Time.now.utc.strftime("%a, %d %b %Y %H:%M:%S GMT"),
-            "X-Lara-SDK-Name" => "lara-ruby",
-            "X-Lara-SDK-Version" => Lara::VERSION,
-            "Authorization" => "Bearer #{@auth_token&.refresh_token}"
-          }
-        end
+      conn = Faraday.new(url: @base_url) do |c|
+        c.adapter Faraday.default_adapter
+      end
 
-        if response.success?
-          data = JSON.parse(response.body)
-          refresh_token = response.headers["x-lara-refresh-token"]
-
-          if refresh_token
-            @auth_token = AuthToken.new(data["token"], refresh_token)
-          else
-            # Refresh failed, force re-authentication
-            @auth_token = nil
-            ensure_valid_token
-          end
-        else
-          # Refresh failed, force re-authentication
-          @auth_token = nil
-          ensure_valid_token
-        end
+      response = conn.post("/v2/auth/refresh") do |req|
+        req.headers = {
+          "Date" => Time.now.utc.strftime("%a, %d %b %Y %H:%M:%S GMT"),
+          "X-Lara-SDK-Name" => "lara-ruby",
+          "X-Lara-SDK-Version" => Lara::VERSION,
+          "Authorization" => "Bearer #{@auth_token.refresh_token}"
+        }
       end
+
+      raise LaraApiError.from_response(response) unless response.success?
+
+      data = JSON.parse(response.body)
+      refresh_token_value = response.headers["x-lara-refresh-token"]
+
+      raise LaraError, "Missing refresh token in refresh response" unless refresh_token_value
+
+      @auth_token = AuthToken.new(data["token"], refresh_token_value)
     end
 
     def make_request(method, path, body: nil, files: nil, headers: nil, params: nil, raw_response: false, &callback)
diff --git a/lib/lara/errors.rb b/lib/lara/errors.rb
@@ -17,15 +17,16 @@ def initialize(message, status_code = nil)
   class LaraApiError < LaraError
     attr_reader :type
 
-    # Builds an error from an HTTP response with JSON body:
-    # { "error": { "type": "...", "message": "..." } }
+    # Builds an error from an HTTP response with JSON body.
+    # Supports both { "error": { "type": "...", "message": "..." } }
+    # and { "type": "...", "message": "..." } response formats.
     def self.from_response(response)
       data = begin
         JSON.parse(response.body)
       rescue StandardError
         {}
       end
-      error = data["error"] || {}
+      error = data["error"] || data
       error_type = error["type"] || "UnknownError"
       error_message = error["message"] || "An unknown error occurred"
       new(response.status, error_type, error_message)
