Fix MQTT reconnection failures due to expired AWS credentials#27
Merged
Conversation
**Problem:** MQTT client was failing to reconnect after connection interruptions with AWS_ERROR_HTTP_WEBSOCKET_UPGRADE_FAILURE errors. The root cause was that AWS IoT credentials have a separate expiration time from JWT tokens, but the reconnection logic only checked JWT expiration before attempting to reconnect with potentially expired AWS credentials. **Solution:** - Added _aws_expires_at field to AuthTokens to track AWS credential expiration - Added are_aws_credentials_expired property to check AWS credential validity - Modified ensure_valid_token() to prioritize AWS credential expiration check - Triggers full re-authentication (not just token refresh) when AWS credentials expire - Preserves AWS credential expiration timestamps during token refresh **Changes:** - src/nwp500/auth.py: Added AWS credential expiration tracking and validation - tests/test_auth.py: Created comprehensive test suite (40 tests) for auth module **Testing:** - All 80 tests passing (40 new auth tests + 40 existing tests) - Type checking: mypy - PASSED - Linting: ruff - PASSED - Coverage: auth.py improved from 31% to 60% **Impact:** Prevents MQTT reconnection failures that occur when: - Connection is interrupted after AWS credentials expire - But before JWT tokens expire (AWS credentials typically expire sooner) - Reconnection attempts would use expired AWS credentials Fixes #<issue_number> (if applicable)
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR fixes MQTT reconnection failures caused by expired AWS IoT credentials. The core issue was that the authentication system only checked JWT token expiration, not AWS credential expiration, leading to failed reconnections when AWS credentials expired before JWT tokens. The solution adds separate tracking and validation for AWS credential expiration, triggering full re-authentication when AWS credentials expire (since token refresh doesn't provide new AWS credentials).
Key Changes:
- Added AWS credential expiration tracking with
_aws_expires_atfield - Implemented
are_aws_credentials_expiredproperty to validate AWS credential validity - Modified
ensure_valid_token()to check AWS credentials before JWT tokens and trigger re-authentication when needed - Added comprehensive test suite (40 new tests) covering authentication flows and expiration scenarios
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/nwp500/auth.py | Added AWS credential expiration tracking, validation property, and enhanced token refresh logic to preserve AWS credential timestamps |
| tests/test_auth.py | New comprehensive test suite with 40 tests covering UserInfo, AuthTokens, exceptions, and NavienAuthClient functionality |
…ired The docstring incorrectly stated 'True if AWS credentials are expired or expiration time is unknown', but the function returns False when expiration time is unknown. Updated to: 'True if AWS credentials are expired, False if expiration time is unknown or credentials are still valid'
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The MQTT client was experiencing reconnection failures with the following errors:
Root Cause
AWS IoT credentials have a separate expiration time from JWT tokens. The reconnection logic was:
Since the token refresh endpoint doesn't return new AWS credentials (only new JWT tokens), expired AWS credentials couldn't be renewed through token refresh alone.
Solution
Core Changes to
src/nwp500/auth.pyAdded AWS credential expiration tracking
_aws_expires_atfield to track when AWS credentials expire separately from JWT tokensauthorization_expires_induring token initializationAdded expiration check property
are_aws_credentials_expiredproperty validates AWS credential validityFalseif expiration time unknown (backward compatible)Enhanced credential validation
ensure_valid_token()to check AWS credentials first (before JWT token)Preserved AWS expiration timestamps
_aws_expires_attimestampNew Test Suite -
tests/test_auth.pyCreated comprehensive test coverage with 40 tests organized into 5 categories:
Critical Tests for MQTT Fix
test_auth_tokens_aws_credentials_expired_false/true- Validates AWS credential expiration detectiontest_ensure_valid_token_aws_credentials_expired- Ensures re-authentication when AWS credentials expiretest_aws_credentials_preservation_in_token_refresh- Validates credential timestamp preservationTesting
Impact
This fix prevents MQTT reconnection failures that occur when:
The client now automatically re-authenticates to obtain fresh AWS credentials when needed for reconnection, ensuring reliable MQTT connectivity.
Backward Compatibility
authorization_expires_inis not provided