fix(generic): check expiry in JWT password values

add minimal JWT data class for content decoding and extraction
add decoding support to Base64Url convertor
override GenericHostProvider credential query to check for JWT content
add expiry check to refresh token

Author: becm

src/shared/Core/Authentication/OAuth/Json/WebToken.cs

@@ -0,0 +1,52 @@
+using System;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+
+namespace GitCredentialManager.Authentication.Oauth.Json
+{
+    public class WebToken(WebToken.TokenHeader header, WebToken.TokenPayload payload, string signature)
+    {
+        public class TokenHeader
+        {
+            [JsonRequired]
+            [JsonPropertyName("typ")]
+            public string Type { get; set; }
+        }
+        public class TokenPayload
+        {
+            [JsonRequired]
+            [JsonPropertyName("exp")]
+            public long Expiry { get; set; }
+        }
+        public TokenHeader Header { get; } = header;
+        public TokenPayload Payload { get; } = payload;
+        public string Signature { get; } = signature;
+
+        static public WebToken TryCreate(string value)
+        {
+            try
+            {
+                var parts = value.Split('.');
+                if (parts.Length != 3)
+                {
+                    return null;
+                }
+                var header = JsonSerializer.Deserialize<TokenHeader>(Base64UrlConvert.Decode(parts[0]));
+                var payload = JsonSerializer.Deserialize<TokenPayload>(Base64UrlConvert.Decode(parts[1]));
+                return new WebToken(header, payload, parts[2]);
+            }
+            catch
+            {
+                return null;
+            }
+
+        }
+
+        static public bool IsExpiredToken(string value)
+        {
+            var token = TryCreate(value);
+            return token != null && token.Payload.Expiry < DateTimeOffset.Now.ToUnixTimeSeconds();
+
+        }
+    }
+}

src/shared/Core/Base64UrlConvert.cs

@@ -4,22 +4,43 @@ namespace GitCredentialManager
 {
     public static class Base64UrlConvert
     {
+
+        // The base64url format is the same as regular base64 format except:
+        //   1. character 62 is "-" (minus) not "+" (plus)
+        //   2. character 63 is "_" (underscore) not "/" (slash)
+        //   3. padding is optional
+        private const char base64PadCharacter = '=';
+        const char base64Character62 = '+';
+        const char base64Character63 = '/';
+        const char base64UrlCharacter62 = '-';
+        const char base64UrlCharacter63 = '_';
+
         public static string Encode(byte[] data, bool includePadding = true)
         {
-            const char base64PadCharacter = '=';
-            const char base64Character62 = '+';
-            const char base64Character63 = '/';
-            const char base64UrlCharacter62 = '-';
-            const char base64UrlCharacter63 = '_';
-
-            // The base64url format is the same as regular base64 format except:
-            //   1. character 62 is "-" (minus) not "+" (plus)
-            //   2. character 63 is "_" (underscore) not "/" (slash)
             string base64Url = Convert.ToBase64String(data)
                 .Replace(base64Character62, base64UrlCharacter62)
                 .Replace(base64Character63, base64UrlCharacter63);
 
             return includePadding ? base64Url : base64Url.TrimEnd(base64PadCharacter);
         }
+
+        public static byte[] Decode(string data, bool includePadding = true)
+        {
+            string base64 = data
+                .Replace(base64UrlCharacter62, base64Character62)
+                .Replace(base64UrlCharacter63, base64Character63);
+
+            switch (base64.Length % 4)
+            {
+                case 2:
+                    base64 += base64PadCharacter;
+                    goto case 3;
+                case 3:
+                    base64 += base64PadCharacter;
+                    break;
+            }
+
+            return Convert.FromBase64String(base64);
+        }
     }
 }

src/shared/Core/GenericHostProvider.cs

@@ -5,6 +5,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using GitCredentialManager.Authentication;
+using GitCredentialManager.Authentication.Oauth.Json;
 using GitCredentialManager.Authentication.OAuth;
 
 namespace GitCredentialManager
@@ -125,6 +126,19 @@ public override async Task<ICredential> GenerateCredentialAsync(InputArguments i
             return await _basicAuth.GetCredentialsAsync(uri.AbsoluteUri, input.UserName);
         }
 
+        public override async Task<ICredential> GetCredentialAsync(InputArguments input)
+        {
+            var credential = await base.GetCredentialAsync(input);
+            if (WebToken.IsExpiredToken(credential.Password))
+            {
+                // No existing credential was found, create a new one
+                Context.Trace.WriteLine("Refreshing expired JWT credential...");
+                credential = await GenerateCredentialAsync(input);
+                Context.Trace.WriteLine("Credential created.");
+            }
+            return credential;
+        }
+
         private async Task<ICredential> GetOAuthAccessToken(Uri remoteUri, string userName, GenericOAuthConfig config, ITrace2 trace2)
         {
             // TODO: Determined user info from a webcall? ID token? Need OIDC support
@@ -152,7 +166,7 @@ private async Task<ICredential> GetOAuthAccessToken(Uri remoteUri, string userNa
 
             // Try to use a refresh token if we have one
             ICredential refreshToken = Context.CredentialStore.Get(refreshService, userName);
-            if (refreshToken != null)
+            if (refreshToken != null && !WebToken.IsExpiredToken(refreshToken.Password))
             {
                 try
                 {