Fail on authentication tokens without expiration (#597)

* Fail on tokens without expiration

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: ponyisi

servicex/servicex_adapter.py

@@ -85,11 +85,21 @@ def _get_bearer_token_file():
                 bearer_token = f.read().strip()
         return bearer_token
 
+    @staticmethod
+    def _get_token_expiration(token) -> int:
+        decoded_token = jwt.decode(token, verify=False)
+        if "exp" not in decoded_token:
+            raise RuntimeError(
+                "Authentication token does not have expiration set. "
+                f"Token data: {decoded_token}"
+            )
+        return decoded_token["exp"]
+
     async def _get_authorization(self, force_reauth: bool = False) -> Dict[str, str]:
         now = time.time()
         if (
             self.token
-            and jwt.decode(self.token, verify=False)["exp"] - now > 60
+            and self._get_token_expiration(self.token) - now > 60
             and not force_reauth
         ):
             # if less than one minute validity, renew
@@ -105,7 +115,7 @@ async def _get_authorization(self, force_reauth: bool = False) -> Dict[str, str]
             if (
                 not self.token
                 or force_reauth
-                or float(jwt.decode(self.token, verify=False)["exp"]) - now < 60
+                or self._get_token_expiration(self.token) - now < 60
             ):
                 await self._get_token()
             return {"Authorization": f"Bearer {self.token}"}

tests/test_servicex_adapter.py

@@ -106,16 +106,18 @@ async def test_get_transforms_wlcg_bearer_token(
     )
     token_file.close()
 
-    os.environ["BEARER_TOKEN_FILE"] = token_file.name
+    with patch.dict(os.environ, {"BEARER_TOKEN_FILE": token_file.name}):
+        # Try with no expiration at all
+        with pytest.raises(RuntimeError):
+            await servicex.get_transforms()
 
-    # Try with an expired token
-    with pytest.raises(AuthorizationError) as err:
-        decode.return_value = {"exp": 0.0}
-        await servicex.get_transforms()
-        assert "ServiceX access token request rejected:" in str(err.value)
+        # Try with an expired token
+        with pytest.raises(AuthorizationError) as err:
+            decode.return_value = {"exp": 0.0}
+            await servicex.get_transforms()
+            assert "ServiceX access token request rejected:" in str(err.value)
 
     os.remove(token_file.name)
-    del os.environ["BEARER_TOKEN_FILE"]
 
 
 @pytest.mark.asyncio