Fix service token generation

[MarceloRGonc]

Fixes OPS-3197.

[linear]

OPS-3197 Error generating Service token

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mg/OPS-3197

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes service token generation by filtering out JWT-specific metadata fields before creating new service tokens. The issue (OPS-3197) was likely caused by including exp, iat, and iss fields from an existing principal when generating a new token, which could lead to invalid or expired tokens.

Key changes:

• Destructures and excludes JWT metadata fields (exp, iat, iss) from the principal before token signing
• Preserves all other principal properties in the new service token payload

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[greptile-apps]

Greptile Overview

Greptile Summary

Fixed JWT claim double-encoding bug in generateServiceToken by filtering out standard JWT claims (exp, iat, iss) before re-signing.

• When converting a user JWT to a service JWT, the decoded principal included JWT metadata fields (exp, iat, iss)
• These fields were being passed directly to jwtUtils.sign(), which adds its own fresh JWT claims
• This resulted in nested or conflicting JWT claims in the service JWT
• The fix destructures the principal to exclude these three standard JWT claims before signing
• The jwtUtils.sign() function now correctly adds fresh exp, iat, and iss values without conflicts

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The fix correctly addresses JWT claim conflicts by filtering standard claims before re-signing, uses proper TypeScript destructuring, and follows JWT best practices by letting the library manage claim generation
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
packages/server/api/src/app/authentication/context/access-token-manager.ts	5/5	Fixed service token generation by excluding JWT standard claims (exp, iat, iss) from being re-encoded in the new token, preventing double-encoding issues

Sequence Diagram

sequenceDiagram
    participant Client
    participant generateServiceToken
    participant extractPrincipal
    participant jwtUtils

    Client->>generateServiceToken: user JWT
    generateServiceToken->>extractPrincipal: decode user JWT
    extractPrincipal->>jwtUtils: decodeAndVerify
    jwtUtils-->>extractPrincipal: Principal with exp iat iss
    extractPrincipal-->>generateServiceToken: return Principal
    
    Note over generateServiceToken: Fix applied here:<br/>Destructure to exclude exp iat iss<br/>before re-signing
    
    generateServiceToken->>jwtUtils: sign clean payload
    jwtUtils-->>generateServiceToken: new service JWT
    generateServiceToken-->>Client: return service JWT

Loading

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}