fix: add buffer for expiry_date

src/auth/computeclient.ts

@@ -69,8 +69,7 @@ export class Compute extends OAuth2Client {
     }
     const tokens = res.data as Credentials;
     if (res.data && res.data.expires_in) {
-      tokens.expiry_date =
-          ((new Date()).getTime() + (res.data.expires_in * 1000));
+      tokens.expiry_date = this.getExpirationDate(res.data.expires_in);
       delete (tokens as CredentialRequest).expires_in;
     }
     return {tokens, res};

src/auth/oauth2client.ts

@@ -404,8 +404,7 @@ export class OAuth2Client extends AuthClient {
     });
     const tokens = res.data as Credentials;
     if (res.data && res.data.expires_in) {
-      tokens.expiry_date =
-          ((new Date()).getTime() + (res.data.expires_in * 1000));
+      tokens.expiry_date = this.getExpirationDate(res.data.expires_in);
       delete (tokens as CredentialRequest).expires_in;
     }
     return {tokens, res};
@@ -435,10 +434,8 @@ export class OAuth2Client extends AuthClient {
       headers: {'Content-Type': 'application/x-www-form-urlencoded'}
     });
     const tokens = res.data as Credentials;
-    // TODO: de-duplicate this code from a few spots
     if (res.data && res.data.expires_in) {
-      tokens.expiry_date =
-          ((new Date()).getTime() + (res.data.expires_in * 1000));
+      tokens.expiry_date = this.getExpirationDate(res.data.expires_in);
       delete (tokens as CredentialRequest).expires_in;
     }
     return {tokens, res};
@@ -936,4 +933,17 @@ export class OAuth2Client extends AuthClient {
     const buffer = new Buffer(b64String, 'base64');
     return buffer.toString('utf8');
   }
+
+  /**
+   * Given an expiration window in seconds, calculate the date when
+   * the token will expore. Due to network latency, this calculation
+   * can be slightly off, causing intermittent 401s in consumer
+   * applications.  To avoid that condition, subtract a second from
+   * the expiration time.
+   * @param expiresIn Time left in seconds.
+   * @returns The datetime when the token expires.
+   */
+  protected getExpirationDate(expiresIn: number) {
+    return ((new Date()).getTime() + (expiresIn * 1000)) - 1000;
+  }
 }

test/test.oauth2.ts

@@ -1133,25 +1133,20 @@ describe('OAuth2 client', () => {
       assert(params.code_verifier === 'its_verified');
     });
 
-    it('should return expiry_date', (done) => {
-      const now = (new Date()).getTime();
-      const scope =
-          nock('https://www.googleapis.com')
-              .post('/oauth2/v4/token', undefined, {
-                reqheaders:
-                    {'Content-Type': 'application/x-www-form-urlencoded'}
-              })
-              .reply(
-                  200,
-                  {access_token: 'abc', refresh_token: '123', expires_in: 10});
+    it('should return expiry_date', async () => {
+      nock('https://www.googleapis.com')
+          .post('/oauth2/v4/token', undefined, {
+            reqheaders: {'Content-Type': 'application/x-www-form-urlencoded'}
+          })
+          .reply(
+              200, {access_token: 'abc', refresh_token: '123', expires_in: 10});
       const oauth2client =
           new OAuth2Client(CLIENT_ID, CLIENT_SECRET, REDIRECT_URI);
-      oauth2client.getToken('code here', (err, tokens) => {
-        assert(tokens!.expiry_date! >= now + (10 * 1000));
-        assert(tokens!.expiry_date! <= now + (15 * 1000));
-        scope.done();
-        done();
-      });
+      // we expect the token to expire 1 second early.
+      const exp = (new Date()).getTime() + (10 * 1000) - 1000;
+      const res = await oauth2client.getToken('code here');
+      assert(res.tokens.expiry_date! >= exp);
+      assert(res.tokens.expiry_date! <= (exp + 5000));
     });
 
     it('should accept custom authBaseUrl and tokenUrl', async () => {