From 634e7611a4f3c7b53eb26fdff2184764b3a5733a Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Fri, 27 Sep 2024 11:50:33 +0100
Subject: [PATCH] Fix refresh check

---
 egi_notebooks_hub/egiauthenticator.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/egi_notebooks_hub/egiauthenticator.py b/egi_notebooks_hub/egiauthenticator.py
index 92ba0d7..3871808 100644
--- a/egi_notebooks_hub/egiauthenticator.py
+++ b/egi_notebooks_hub/egiauthenticator.py
@@ -336,14 +336,19 @@ async def refresh_user(self, user, handler=None):
             return True
 
         try:
+            # We want to fall on the safe side for refreshing, hence using
+            # the auth_refresh_age plus one second and negative as the code
+            # checks that the token is valid as of (now - leeway)
+            # See PyJWT code here:
+            # https://github.com/jpadilla/pyjwt/blob/868cf4ab2ca5a0a39da40e5a14dd740b203662b2/jwt/api_jwt.py#L306
+            leeway = -float(self.auth_refresh_age + 1)
             if jwt.decode(
                 access_token,
                 options=dict(
                     verify_signature=False,
                     verify_exp=True,
-                    # we want to fall on the safe side for refreshing
-                    leeway=self.auth_refresh_age + 1,
                 ),
+                leeway=leeway,
             ):
                 # access token is good, no need to keep going
                 self.log.debug("Access token is still good, no refresh needed")