( token: string | undefined, skewMs: number = ACCESS_TOKEN_REFRESH_SKEW_MS, )
| 98 | // opaque tokens (no JWT shape), which conservatively skips the proactive |
| 99 | // refresh and lets the 401-on-call path drive the refresh instead. |
| 100 | export function accessTokenIsExpiring( |
| 101 | token: string | undefined, |
| 102 | skewMs: number = ACCESS_TOKEN_REFRESH_SKEW_MS, |
| 103 | ): boolean { |
| 104 | if (!token || typeof token !== "string") return false |
| 105 | const parts = token.split(".") |
| 106 | if (parts.length < 2) return false |
| 107 | try { |
| 108 | let payload = parts[1].replace(/-/g, "+").replace(/_/g, "/") |
| 109 | while (payload.length % 4 !== 0) payload += "=" |
| 110 | const claims = JSON.parse(Buffer.from(payload, "base64").toString("utf8")) |
| 111 | if (typeof claims?.exp !== "number") return false |
| 112 | return claims.exp * 1000 <= Date.now() + Math.max(0, skewMs) |
| 113 | } catch { |
| 114 | return false |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | export function buildAuthorizeUrl( |
| 119 | pkce: PkceCodes, |
no test coverage detected