fix: fix access token response to use remaining seconds#39
Conversation
appleboy
commented
Feb 19, 2026
- Use the correct remaining seconds until token expiration instead of the expiration timestamp in the access token response
- Use the correct remaining seconds until token expiration instead of the expiration timestamp in the access token response Signed-off-by: appleboy <[email protected]>
There was a problem hiding this comment.
Pull request overview
This PR corrects the OAuth token endpoint’s expires_in field for the authorization code grant to return remaining lifetime (seconds) instead of an absolute Unix expiration timestamp, aligning the response with common OAuth client expectations.
Changes:
- Update
expires_inin the authorization code grant token response to use remaining seconds untilExpiresAt. - Add
timeimport to support the new calculation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| resp := gin.H{ | ||
| "access_token": accessToken.Token, | ||
| "token_type": accessToken.TokenType, | ||
| "expires_in": int(accessToken.ExpiresAt.Unix()), | ||
| "expires_in": int(time.Until(accessToken.ExpiresAt).Seconds()), | ||
| "scope": accessToken.Scopes, |
There was a problem hiding this comment.
expires_in is derived via int(time.Until(accessToken.ExpiresAt).Seconds()), which converts through float seconds (truncation/precision) and can produce a negative value if ExpiresAt is already in the past (e.g., provider clock skew or misconfigured expiry). Consider computing remaining seconds using integer duration math (e.g., duration / time.Second) and clamping to a minimum of 0 to keep the OAuth expires_in field non-negative and stable.