@@ -401,28 +401,62 @@ async def refresh_token(self, refresh_token: str) -> AuthTokens:
401401 new_tokens = AuthTokens .from_dict (data )
402402
403403 # Preserve AWS credentials from old tokens if not in refresh
404- # response
404+ # response, but only if they are still valid (not expired).
405+ # If credentials are expired, do not preserve them.
406+ # If you are relying on credentials being valid after token refresh,
407+ # ensure this is documented and validated here.
405408 if self ._auth_response and self ._auth_response .tokens :
406409 old_tokens = self ._auth_response .tokens
407- if (
408- not new_tokens .access_key_id
409- and old_tokens .access_key_id
410- ):
411- new_tokens .access_key_id = old_tokens .access_key_id
412- if not new_tokens .secret_key and old_tokens .secret_key :
413- new_tokens .secret_key = old_tokens .secret_key
414- if (
415- not new_tokens .session_token
416- and old_tokens .session_token
417- ):
418- new_tokens .session_token = old_tokens .session_token
419- if (
420- not new_tokens .authorization_expires_in
421- and old_tokens .authorization_expires_in
422- ):
423- new_tokens .authorization_expires_in = (
424- old_tokens .authorization_expires_in
410+ # Check if AWS credentials are still valid
411+ expires = getattr (old_tokens , "authorization_expires_in" , None )
412+ if expires and isinstance (expires , datetime ):
413+ if expires > datetime .utcnow ():
414+ # Credentials are still valid, preserve them
415+ if (
416+ not new_tokens .access_key_id
417+ and old_tokens .access_key_id
418+ ):
419+ new_tokens .access_key_id = old_tokens .access_key_id
420+ if not new_tokens .secret_key and old_tokens .secret_key :
421+ new_tokens .secret_key = old_tokens .secret_key
422+ if (
423+ not new_tokens .session_token
424+ and old_tokens .session_token
425+ ):
426+ new_tokens .session_token = old_tokens .session_token
427+ if (
428+ not new_tokens .authorization_expires_in
429+ and old_tokens .authorization_expires_in
430+ ):
431+ new_tokens .authorization_expires_in = (
432+ old_tokens .authorization_expires_in
433+ )
434+ else :
435+ _logger .warning ("Old AWS credentials have expired and will not be preserved." )
436+ else :
437+ # If expiration is not available, preserve credentials but log a warning.
438+ _logger .warning (
439+ "AWS credentials expiration not available; preserving old credentials by assumption."
425440 )
441+ if (
442+ not new_tokens .access_key_id
443+ and old_tokens .access_key_id
444+ ):
445+ new_tokens .access_key_id = old_tokens .access_key_id
446+ if not new_tokens .secret_key and old_tokens .secret_key :
447+ new_tokens .secret_key = old_tokens .secret_key
448+ if (
449+ not new_tokens .session_token
450+ and old_tokens .session_token
451+ ):
452+ new_tokens .session_token = old_tokens .session_token
453+ if (
454+ not new_tokens .authorization_expires_in
455+ and old_tokens .authorization_expires_in
456+ ):
457+ new_tokens .authorization_expires_in = (
458+ old_tokens .authorization_expires_in
459+ )
426460
427461 # Update stored auth response if we have one
428462 if self ._auth_response :
0 commit comments