cmd/cue: truncate expiry timestamps to seconds

mvdan · mvdan · commit a3fb8e80b3ac · 2024-10-01T14:36:58.000Z
OAuth2 measures expiry in seconds via the expires_in JSON wire format field, so any sub-second units add unnecessary verbosity. For example, this swaps UTC timestamps such as "expiry": "2024-10-01T10:27:51.579344983Z" for much shorter timestamps such as "expiry": "2024-10-01T10:30:57Z" If an access token is obtained at 10:30:59.95, nearly at 10:31, and the server tells the client that the token expires in 24h, this does mean we would refresh the token up to one second sooner. Given that the expiry time is measured in seconds, that the wire format tells the client the expiry in seconds relative to the current time which is already not a fixed point, and that expiry times in practice are measured in entire hours or days, this seems fine. Moreover, renewing an access token slightly too soon is not harmful. Signed-off-by: Daniel Martí <mvdan@mvdan.cc> Change-Id: I73ef6451de091eb1878a54eebda9b15da1234a6f Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1202037 Reviewed-by: Roger Peppe <rogpeppe@gmail.com> TryBot-Result: CUEcueckoo <cueckoo@cuelang.org> Unity-Result: CUE porcuepine <cue.porcuepine@gmail.com>
diff --git a/cmd/cue/cmd/login.go b/cmd/cue/cmd/login.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
@@ -99,9 +100,11 @@ inside $CUE_CONFIG_DIR; see 'cue help environment'.
 
 			// For consistency, store timestamps in UTC.
 			tok.Expiry = tok.Expiry.UTC()
+			// OAuth2 measures expiry in seconds via the expires_in JSON wire format field,
+			// so any sub-second units add unnecessary verbosity.
+			tok.Expiry = tok.Expiry.Truncate(time.Second)
 
 			_, err = cueconfig.UpdateRegistryLogin(loginsPath, host.Name, tok)
-
 			if err != nil {
 				return fmt.Errorf("cannot store CUE registry logins: %v", err)
 			}
diff --git a/cmd/cue/cmd/testdata/script/login_immediate.txtar b/cmd/cue/cmd/testdata/script/login_immediate.txtar
@@ -14,7 +14,7 @@ grep -count=1 '"access_token"' cueconfig/logins.json
 # Ensure the contents of the token look correct.
 grep -count=1 '"access_token": "secret-access-token"' cueconfig/logins.json
 grep -count=1 '"token_type": "Bearer"' cueconfig/logins.json
-# Timestamps are always stored in UTC.
-grep '"expiry": "20..-..-..T.*Z"' cueconfig/logins.json
+# Timestamps are always stored in UTC and truncated to seconds.
+grep '"expiry": "20..-..-..T..:..:..Z"' cueconfig/logins.json
 # oauthregistry does not give a refresh token, and we use encoding/json's omitempty.
 ! grep '"refresh_token"' cueconfig/logins.json
