EnsembleUI · anserwaseem · Jun 19, 2026 · sharjeelyunus · Jun 19, 2026
diff --git a/src/auth/token.ts b/src/auth/token.ts
@@ -66,7 +66,9 @@ export function normalizeExpiresAt(expiresAt: unknown): number | undefined {
 }
 
 export function isTokenExpired(idToken: string, expiresAt?: number, bufferSeconds = 60): boolean {
-  const expiry = normalizeExpiresAt(expiresAt) ?? getIdTokenExpiryMs(idToken);
+  const jwtExpiry = getIdTokenExpiryMs(idToken);
+  const configExpiry = normalizeExpiresAt(expiresAt);
+  const expiry = jwtExpiry ?? configExpiry;
   if (expiry === undefined) return true;
   return expiry <= Date.now() + bufferSeconds * 1000;
 }
diff --git a/tests/auth/session.test.ts b/tests/auth/session.test.ts
@@ -182,6 +182,38 @@ describe('getValidAuthSession', () => {
     }
   });
 
+  it('returns ok without refresh when jwt is valid but config expiresAt is stale', async () => {
+    const token = makeJwt({
+      userId: 'u1',
+      email: 'a@b.com',
+      exp: Math.floor(Date.now() / 1000) + 3600,
+    });
+    vi.mocked(globalConfig.readGlobalConfig).mockResolvedValue({
+      user: {
+        uid: 'u1',
+        email: 'a@b.com',
+        idToken: token,
+        refreshToken: 'refresh-123',
+        expiresAt: Date.now() - 3600_000,
+      },
+    });
+
+    const fetchMock = vi.fn();
+    const originalFetch = globalThis.fetch;
+    globalThis.fetch = fetchMock;
+
+    const result = await getValidAuthSession();
+
+    globalThis.fetch = originalFetch;
+
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.idToken).toBe(token);
+      expect(result.refreshed).toBe(false);
+    }
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
   it('refreshes token when expired and refresh token exists', async () => {
     const oldToken = makeJwt({
       userId: 'u1',

diff --git a/tests/auth/token.test.ts b/tests/auth/token.test.ts
@@ -146,10 +146,17 @@ describe('isTokenExpired', () => {
     expect(isTokenExpired(token, undefined, 0)).toBe(false);
   });
 
-  it('uses expiresAt when provided', () => {
+  it('uses expiresAt when jwt has no exp claim', () => {
     vi.setSystemTime(new Date('2025-01-01T12:00:00Z'));
     const token = makeJwt({ userId: 'u1' });
     const futureMs = new Date('2025-06-01').getTime();
     expect(isTokenExpired(token, futureMs)).toBe(false);
   });
+
+  it('prefers jwt exp over stale config expiresAt', () => {
+    vi.setSystemTime(new Date('2025-01-01T12:00:00Z'));
+    const token = makeJwt({ userId: 'u1', exp: 1735736400 });
+    const stalePastMs = new Date('2024-01-01').getTime();
+    expect(isTokenExpired(token, stalePastMs)).toBe(false);
+  });
 });