fix(generic): check expiry of structured tokens

add expiry check for `auth_token` and `refresh token` values
add generic StructuredToken class with expiration status property
include minimal JWT reader to decode and extract data

Author: becm

src/shared/Core/Authentication/StructuredToken.cs

@@ -0,0 +1,57 @@
+using System;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace GitCredentialManager.Authentication
+{
+    public abstract class StructuredToken
+    {
+        private class JwtHeader
+        {
+            [JsonRequired]
+            [JsonInclude]
+            [JsonPropertyName("typ")]
+            public string Type { get; private set; }
+        }
+        private class JwtPayload : StructuredToken
+        {
+            [JsonRequired]
+            [JsonInclude]
+            [JsonPropertyName("exp")]
+            public long Expiry { get; private set; }
+
+            public override bool IsExpired
+            {
+                get
+                {
+                    return Expiry < DateTimeOffset.Now.ToUnixTimeSeconds();
+                }
+            }
+        }
+
+        public abstract bool IsExpired { get; }
+
+        public static bool TryCreate(string value, out StructuredToken token)
+        {
+            try
+            {
+                // elements of JWT structure "<header>.<payload>.<signature>"
+                var parts = value.Split('.');
+                if (parts.Length == 3)
+                {
+                    var header = JsonSerializer.Deserialize<JwtHeader>(Base64UrlConvert.Decode(parts[0]));
+                    if ("JWT".Equals(header.Type, StringComparison.OrdinalIgnoreCase))
+                    {
+                        token = JsonSerializer.Deserialize<JwtPayload>(Base64UrlConvert.Decode(parts[1]));
+                        return true;
+                    }
+                }
+            }
+            catch { }
+
+            // invalid token data on content mismatch or deserializer exception
+            token = null;
+            return false;
+        }
+    }
+}

src/shared/Core/GenericHostProvider.cs

@@ -74,17 +74,20 @@ public async Task<GetCredentialResult> GetCredentialAsync(InputArguments input)
             if (credential == null)
             {
                 _context.Trace.WriteLine("No existing credentials found.");
-
-                // No existing credential was found, create a new one
-                _context.Trace.WriteLine("Creating new credential...");
-                return await GenerateCredentialAsync(input);
+            }
+            else if (StructuredToken.TryCreate(credential.Password, out var token) && token.IsExpired)
+            {
+                _context.Trace.WriteLine("Credential is expired token.");
             }
             else
             {
                 _context.Trace.WriteLine("Existing credential found.");
+                return new GetCredentialResult(credential);
             }
 
-            return new GetCredentialResult(credential);
+            // No valid credential was found, create a new one
+            _context.Trace.WriteLine("Creating new credential...");
+            return await GenerateCredentialAsync(input);
         }
 
         public Task StoreCredentialAsync(InputArguments input)
@@ -288,9 +291,9 @@ private async Task<ICredential> GetOAuthAccessToken(Uri remoteUri, string userNa
             string refreshService = new UriBuilder(remoteUri) { Host = $"refresh_token.{remoteUri.Host}" }
                 .Uri.AbsoluteUri.TrimEnd('/');
 
-            // Try to use a refresh token if we have one
+            // Try to use a (valid) refresh token if we have one
             ICredential refreshToken = _context.CredentialStore.Get(refreshService, userName);
-            if (refreshToken != null)
+            if (refreshToken != null && !(StructuredToken.TryCreate(refreshToken.Password, out var token) && token.IsExpired))
             {
                 try
                 {