🩹 [Patch]: Add TokenExpiresAt property and update expiration logic for GitHubAppContext (#494)

MariusStorhaug · Copilot · web-flow · commit 82939b5cb214 · 2025-09-04T12:39:31.000+02:00
## Description This pull request improves how token expiry information is handled and displayed for GitHub authentication contexts in both code and documentation. The main changes introduce automatic token renewal for GitHub Apps, add new properties to track token expiry, update formatting and type definitions to support these properties, and enhance tests to validate the new behavior. **Authentication and token management improvements:** * Added documentation in `README.md` explaining that short-lived tokens (for GitHub Apps) are automatically renewed by the module, clarifying the difference from long-lived tokens. * Removed outdated/duplicated token renewal documentation and examples from `README.md` to streamline the explanation. **Code and formatting updates:** * Added `TokenExpiresAt` property to `GitHubContext` and `GitHubAppContext` classes, and implemented a `TokenExpiresIn` script property for `GitHubAppContext` to calculate remaining token time. * Updated `GitHubContext.Format.ps1xml` to display `TokenExpiresAt` and `TokenExpiresIn` in relevant views, adjusted expiry logic (`-le 0` instead of `-lt 0`), and added special handling for token types (e.g., 10-minute expiry for APP tokens). **Testing enhancements:** * Extended tests in `GitHub.Tests.ps1` to verify that authentication contexts include valid `TokenExpiresAt` and `TokenExpiresIn` properties. ## Type of change  - [ ] 📖 [Docs] - [ ] 🪲 [Fix] - [x] 🩹 [Patch] - [ ] ⚠️ [Security fix] - [ ] 🚀 [Feature] - [ ] 🌟 [Breaking change] ## Checklist  - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas --------- Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
diff --git a/README.md b/README.md
@@ -70,34 +70,7 @@ Press Enter to open github.com in your browser...:  #-> Press enter and paste th
 After this you will need to install the GitHub App on the repos you want to manage. You can do this by visiting the
 [PowerShell for GitHub](https://github.com/apps/powershell-for-github) app page.
 
-> Info: We will be looking to include this as a check in the module in the future. So it becomes a part of the regular sign in process.
 
-Consecutive runs of the `Connect-GitHubAccount` will not require you to paste the code again unless you revoke the token
-or you change the type of authentication you want to use. Instead, it checks the remaining duration of the access token and
-uses the refresh token to get a new access token if its less than 4 hours remaining.
-
-```powershell
-Connect-GitHubAccount
-✓ Access token is still valid for 05:30:41 ...
-✓ Logged in as octocat!
-```
-
-This is also happening automatically when you run a command that requires authentication. The validity of the token is checked before the command is executed.
-If it is no longer valid, the token is refreshed and the command is executed.
-
-```powershell
-Connect-GitHubAccount
-⚠ Access token remaining validity 01:22:31. Refreshing access token...
-✓ Logged in as octocat!
-```
-
-If the timer has gone out, we still have your back. It will just refresh as long as the refresh token is valid.
-
-```powershell
-Connect-GitHubAccount
-⚠ Access token expired. Refreshing access token...
-✓ Logged in as octocat!
-```
 
 #### Personal authentication - User access tokens with OAuth app
 
@@ -223,6 +196,15 @@ Connect-GitHubAccount -Host 'https://msx.ghe.com' -ClientID 'lv123456789'
 ✓ Logged in as octocat!
 ```
 
+#### Automatic token renewal
+
+The module automatically manages short‑lived tokens for GitHub Apps:
+
+- User access tokens (when you authenticate via a GitHub App) are short‑lived and include a refresh token. The module refreshes them automatically before/when they expire—no extra steps are required.
+- App JWTs (when the context is a GitHub App) are generated and rotated automatically per call as needed. You never need to create or renew the JWT yourself.
+
+Note: Long‑lived tokens like classic/fine‑grained PATs and provided installation tokens (GH_TOKEN/GITHUB_TOKEN) are not refreshed by the module.
+
 ### Command Exploration
 
 Familiarize yourself with the available cmdlets using the module's comprehensive documentation or inline help.
diff --git a/src/classes/public/Config/GitHubConfig.ps1 b/src/classes/public/Config/GitHubConfig.ps1
@@ -35,9 +35,6 @@
     # The default value for retry interval in seconds.
     [System.Nullable[int]] $RetryInterval
 
-    # The tolerance time in seconds for JWT token validation.
-    [System.Nullable[int]] $JwtTimeTolerance
-
     # The environment type, which is used to determine the context of the GitHub API calls.
     [string] $EnvironmentType
 
diff --git a/src/classes/public/Context/GitHubContext.ps1 b/src/classes/public/Context/GitHubContext.ps1
@@ -82,6 +82,7 @@
         $this.UserName = $Object.UserName
         $this.Token = $Object.Token
         $this.TokenType = $Object.TokenType
+        $this.TokenExpiresAt = $Object.TokenExpiresAt
         $this.Enterprise = $Object.Enterprise
         $this.Owner = $Object.Owner
         $this.Repository = $Object.Repository
diff --git a/src/formats/GitHubConfig.Format.ps1xml b/src/formats/GitHubConfig.Format.ps1xml
@@ -31,9 +31,6 @@
                             <ListItem>
                                 <PropertyName>AccessTokenGracePeriodInHours</PropertyName>
                             </ListItem>
-                            <ListItem>
-                                <PropertyName>JwtTimeTolerance</PropertyName>
-                            </ListItem>
                             <ListItem>
                                 <PropertyName>ApiVersion</PropertyName>
                             </ListItem>
diff --git a/src/formats/GitHubContext.Format.ps1xml b/src/formats/GitHubContext.Format.ps1xml
@@ -58,7 +58,7 @@
                                     return
                                     }
 
-                                    if ($_.TokenExpiresIn -lt 0) {
+                                    if ($_.TokenExpiresIn -le 0) {
                                     $text = 'Expired'
                                     } else {
                                     $text = $_.TokenExpiresIn.ToString('hh\:mm\:ss')
@@ -73,6 +73,9 @@
                                     'IAT' {
                                     $maxValue = [TimeSpan]::FromHours(1)
                                     }
+                                    'APP' {
+                                    $maxValue = [TimeSpan]::FromMinutes(10)
+                                    }
                                     }
                                     $ratio = [Math]::Min(($_.TokenExpiresIn / $maxValue), 1)
                                     [GitHubFormatter]::FormatColorByRatio($ratio, $text)
@@ -172,6 +175,12 @@
                             <ListItem>
                                 <PropertyName>TokenType</PropertyName>
                             </ListItem>
+                            <ListItem>
+                                <PropertyName>TokenExpiresAt</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>TokenExpiresIn</PropertyName>
+                            </ListItem>
                             <ListItem>
                                 <PropertyName>HostName</PropertyName>
                             </ListItem>
@@ -238,22 +247,22 @@
                                 <PropertyName>TokenType</PropertyName>
                             </ListItem>
                             <ListItem>
-                                <PropertyName>HostName</PropertyName>
+                                <PropertyName>TokenExpiresAt</PropertyName>
                             </ListItem>
                             <ListItem>
-                                <PropertyName>UserName</PropertyName>
+                                <PropertyName>TokenExpiresIn</PropertyName>
                             </ListItem>
                             <ListItem>
-                                <PropertyName>ClientID</PropertyName>
+                                <PropertyName>HostName</PropertyName>
                             </ListItem>
                             <ListItem>
-                                <PropertyName>InstallationID</PropertyName>
+                                <PropertyName>UserName</PropertyName>
                             </ListItem>
                             <ListItem>
-                                <PropertyName>TokenExpiresAt</PropertyName>
+                                <PropertyName>ClientID</PropertyName>
                             </ListItem>
                             <ListItem>
-                                <PropertyName>TokenExpiresIn</PropertyName>
+                                <PropertyName>InstallationID</PropertyName>
                             </ListItem>
                             <ListItem>
                                 <PropertyName>InstallationType</PropertyName>
@@ -311,6 +320,12 @@
                             <ListItem>
                                 <PropertyName>TokenType</PropertyName>
                             </ListItem>
+                            <ListItem>
+                                <PropertyName>TokenExpiresAt</PropertyName>
+                            </ListItem>
+                            <ListItem>
+                                <PropertyName>TokenExpiresIn</PropertyName>
+                            </ListItem>
                             <ListItem>
                                 <PropertyName>HostName</PropertyName>
                             </ListItem>
@@ -326,12 +341,6 @@
                             <ListItem>
                                 <PropertyName>Scope</PropertyName>
                             </ListItem>
-                            <ListItem>
-                                <PropertyName>TokenExpiresAt</PropertyName>
-                            </ListItem>
-                            <ListItem>
-                                <PropertyName>TokenExpiresIn</PropertyName>
-                            </ListItem>
                             <ListItem>
                                 <PropertyName>RefreshTokenExpiresAt</PropertyName>
                             </ListItem>
diff --git a/src/functions/private/Apps/GitHub Apps/New-GitHubUnsignedJWT.ps1 b/src/functions/private/Apps/GitHub Apps/New-GitHubUnsignedJWT.ps1
@@ -45,8 +45,8 @@
             }
         )
         $now = [System.DateTimeOffset]::UtcNow
-        $iat = $now.AddSeconds(-$script:GitHub.Config.JwtTimeTolerance)
-        $exp = $now.AddSeconds($script:GitHub.Config.JwtTimeTolerance)
+        $iat = $now.AddMinutes(-10)
+        $exp = $now.AddMinutes(10)
         $payload = [GitHubJWTComponent]::ToBase64UrlString(
             @{
                 iat = $iat.ToUnixTimeSeconds()
diff --git a/src/functions/private/Apps/GitHub Apps/Test-GitHubJWTRefreshRequired.ps1 b/src/functions/private/Apps/GitHub Apps/Test-GitHubJWTRefreshRequired.ps1
@@ -31,7 +31,7 @@ function Test-GitHubJWTRefreshRequired {
 
     process {
         try {
-            ($Context.TokenExpiresAt - [datetime]::Now).TotalSeconds -le ($script:GitHub.Config.JwtTimeTolerance / 2)
+            ($Context.TokenExpiresAt - [datetime]::Now).TotalSeconds -le 60
         } catch {
             return $true
         }
diff --git a/src/types/GitHubContext.Types.ps1xml b/src/types/GitHubContext.Types.ps1xml
@@ -6,7 +6,7 @@
             <ScriptProperty>
                 <Name>TokenExpiresIn</Name>
                 <GetScriptBlock>
-                    if ($null -eq $this.TokenExpiresAt) { return }
+                    if ($null -eq $this.TokenExpiresAt) { return [TimeSpan]::Zero }
                     $timeRemaining = $this.TokenExpiresAt - [DateTime]::Now
                     if ($timeRemaining.TotalSeconds -lt 0) {
                     return [TimeSpan]::Zero
@@ -17,7 +17,7 @@
             <ScriptProperty>
                 <Name>RefreshTokenExpiresIn</Name>
                 <GetScriptBlock>
-                    if ($null -eq $this.RefreshTokenExpiresAt) { return }
+                    if ($null -eq $this.RefreshTokenExpiresAt) { return [TimeSpan]::Zero }
                     $timeRemaining = $this.RefreshTokenExpiresAt - [DateTime]::Now
                     if ($timeRemaining.TotalSeconds -lt 0) {
                     return [TimeSpan]::Zero
@@ -29,6 +29,22 @@
     </Type>
     <Type>
         <Name>GitHubAppInstallationContext</Name>
+        <Members>
+            <ScriptProperty>
+                <Name>TokenExpiresIn</Name>
+                <GetScriptBlock>
+                    if ($null -eq $this.TokenExpiresAt) { return [TimeSpan]::Zero }
+                    $timeRemaining = $this.TokenExpiresAt - [DateTime]::Now
+                    if ($timeRemaining.TotalSeconds -lt 0) {
+                    return [TimeSpan]::Zero
+                    }
+                    return $timeRemaining
+                </GetScriptBlock>
+            </ScriptProperty>
+        </Members>
+    </Type>
+    <Type>
+        <Name>GitHubAppContext</Name>
         <Members>
             <ScriptProperty>
                 <Name>TokenExpiresIn</Name>
diff --git a/src/variables/private/GitHub.ps1 b/src/variables/private/GitHub.ps1
@@ -18,7 +18,6 @@ $script:GitHub = [pscustomobject]@{
         PerPage                       = 100
         RetryCount                    = 0
         RetryInterval                 = 1
-        JwtTimeTolerance              = 300
         EnvironmentType               = Get-GitHubEnvironmentType
     }
     Config             = $null
diff --git a/tests/Emojis.Tests.ps1 b/tests/Emojis.Tests.ps1
@@ -0,0 +1,67 @@
+﻿#Requires -Modules @{ ModuleName = 'Pester'; RequiredVersion = '5.7.1' }
+
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute(
+    'PSUseDeclaredVarsMoreThanAssignments', '',
+    Justification = 'Pester grouping syntax: known issue.'
+)]
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute(
+    'PSAvoidUsingConvertToSecureStringWithPlainText', '',
+    Justification = 'Used to create a secure string for testing.'
+)]
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute(
+    'PSAvoidUsingWriteHost', '',
+    Justification = 'Log outputs to GitHub Actions logs.'
+)]
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute(
+    'PSAvoidLongLines', '',
+    Justification = 'Long test descriptions and skip switches'
+)]
+[CmdletBinding()]
+param()
+
+Describe 'Emojis' {
+    $authCases = . "$PSScriptRoot/Data/AuthCases.ps1"
+
+    Context 'As <Type> using <Case> on <Target>' -ForEach $authCases {
+        BeforeAll {
+            $context = Connect-GitHubAccount @connectParams -PassThru -Silent
+            LogGroup 'Context' {
+                Write-Host ($context | Format-List | Out-String)
+            }
+        }
+        AfterAll {
+            Get-GitHubContext -ListAvailable | Disconnect-GitHubAccount -Silent
+            Write-Host ('-' * 60)
+        }
+
+        # Tests for APP goes here
+        if ($AuthType -eq 'APP') {
+            It 'Connect-GitHubApp - Connects as a GitHub App to <Owner>' {
+                $context = Connect-GitHubApp @connectAppParams -PassThru -Default -Silent
+                LogGroup 'Context' {
+                    Write-Host ($context | Format-List | Out-String)
+                }
+            }
+        }
+
+        # Tests for runners goes here
+        if ($Type -eq 'GitHub Actions') {}
+
+        # Tests for IAT UAT and PAT goes here
+        It 'Get-GitHubEmoji - Gets a list of all emojis' {
+            $emojis = Get-GitHubEmoji
+            LogGroup 'emojis' {
+                Write-Host ($emojis | Format-Table | Out-String)
+            }
+            $emojis | Should -Not -BeNullOrEmpty
+        }
+        It 'Get-GitHubEmoji - Downloads all emojis' {
+            Get-GitHubEmoji -Path $Home
+            LogGroup 'emojis' {
+                $emojis = Get-ChildItem -Path $Home -File
+                Write-Host ($emojis | Format-Table | Out-String)
+            }
+            $emojis | Should -Not -BeNullOrEmpty
+        }
+    }
+}
diff --git a/tests/GitHub.Tests.ps1 b/tests/GitHub.Tests.ps1
@@ -79,6 +79,9 @@ Describe 'Auth' {
                 Write-Host ($context | Format-List | Out-String)
             }
             $context | Should -Not -BeNullOrEmpty
+            $context | Should -BeOfType [GitHubContext]
+            $context.TokenExpiresAt | Should -BeOfType [DateTime]
+            $context.TokenExpiresIn | Should -BeOfType [TimeSpan]
         }
 
         It 'Connect-GitHubApp - Connects as a GitHub App to <Owner>' -Skip:($AuthType -ne 'APP') {
@@ -106,6 +109,8 @@ Describe 'Auth' {
             LogGroup 'Connect-GithubApp' {
                 $context
             }
+            $context.TokenExpiresAt | Should -BeOfType [DateTime]
+            $context.TokenExpiresIn | Should -BeOfType [TimeSpan]
             LogGroup 'Context' {
                 Write-Host ($context | Format-List | Out-String)
             }
@@ -763,53 +768,6 @@ Describe 'API' {
     }
 }
 
-Describe 'Emojis' {
-    $authCases = . "$PSScriptRoot/Data/AuthCases.ps1"
-
-    Context 'As <Type> using <Case> on <Target>' -ForEach $authCases {
-        BeforeAll {
-            $context = Connect-GitHubAccount @connectParams -PassThru -Silent
-            LogGroup 'Context' {
-                Write-Host ($context | Format-List | Out-String)
-            }
-        }
-        AfterAll {
-            Get-GitHubContext -ListAvailable | Disconnect-GitHubAccount -Silent
-            Write-Host ('-' * 60)
-        }
-
-        # Tests for APP goes here
-        if ($AuthType -eq 'APP') {
-            It 'Connect-GitHubApp - Connects as a GitHub App to <Owner>' {
-                $context = Connect-GitHubApp @connectAppParams -PassThru -Default -Silent
-                LogGroup 'Context' {
-                    Write-Host ($context | Format-List | Out-String)
-                }
-            }
-        }
-
-        # Tests for runners goes here
-        if ($Type -eq 'GitHub Actions') {}
-
-        # Tests for IAT UAT and PAT goes here
-        It 'Get-GitHubEmoji - Gets a list of all emojis' {
-            $emojis = Get-GitHubEmoji
-            LogGroup 'emojis' {
-                Write-Host ($emojis | Format-Table | Out-String)
-            }
-            $emojis | Should -Not -BeNullOrEmpty
-        }
-        It 'Get-GitHubEmoji - Downloads all emojis' {
-            Get-GitHubEmoji -Path $Home
-            LogGroup 'emojis' {
-                $emojis = Get-ChildItem -Path $Home -File
-                Write-Host ($emojis | Format-Table | Out-String)
-            }
-            $emojis | Should -Not -BeNullOrEmpty
-        }
-    }
-}
-
 Describe 'Webhooks' {
     BeforeAll {
         $secret = "It's a Secret to Everybody"

Original file line number	Diff line number	Diff line change
`@@ -45,8 +45,8 @@`
`45`	`45`	`}`
`46`	`46`	`)`
`47`	`47`	`$now = [System.DateTimeOffset]::UtcNow`
`48`		`- $iat = $now.AddSeconds(-$script:GitHub.Config.JwtTimeTolerance)`
`49`		`- $exp = $now.AddSeconds($script:GitHub.Config.JwtTimeTolerance)`
	`48`	`+ $iat = $now.AddMinutes(-10)`
	`49`	`+ $exp = $now.AddMinutes(10)`
`50`	`50`	`$payload = [GitHubJWTComponent]::ToBase64UrlString(`
`51`	`51`	`@{`
`52`	`52`	`iat = $iat.ToUnixTimeSeconds()`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ function Test-GitHubJWTRefreshRequired {`
`31`	`31`
`32`	`32`	`process {`
`33`	`33`	`try {`
`34`		`- ($Context.TokenExpiresAt - [datetime]::Now).TotalSeconds -le ($script:GitHub.Config.JwtTimeTolerance / 2)`
	`34`	`+ ($Context.TokenExpiresAt - [datetime]::Now).TotalSeconds -le 60`
`35`	`35`	`} catch {`
`36`	`36`	`return $true`
`37`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,6 @@ $script:GitHub = [pscustomobject]@{`
`18`	`18`	`PerPage = 100`
`19`	`19`	`RetryCount = 0`
`20`	`20`	`RetryInterval = 1`
`21`		`- JwtTimeTolerance = 300`
`22`	`21`	`EnvironmentType = Get-GitHubEnvironmentType`
`23`	`22`	`}`
`24`	`23`	`Config = $null`