External oauth bugfix (#7)

* external oauth bugfix

* cleanup for non-essential expiry logic

* default session time addition

* ruff audit

auth/external_oauth_provider.py

@@ -9,7 +9,9 @@ Google's Authorization Server but does not issue tokens itself.
 """
 
 import logging
+import os
 import time
+from datetime import datetime, timedelta
 from typing import Optional
 
 from starlette.routing import Route
@@ -24,6 +26,9 @@ logger = logging.getLogger(__name__)
 # Google's OAuth 2.0 Authorization Server
 GOOGLE_ISSUER_URL = "https://accounts.google.com"
 
+# Configurable session time in seconds (default: 1 hour)
+SESSION_TIME = int(os.getenv("SESSION_TIME", "3600"))
+
 
 class ExternalOAuthProvider(GoogleProvider):
     """
@@ -75,11 +80,13 @@ class ExternalOAuthProvider(GoogleProvider):
                 from auth.google_auth import get_user_info
 
                 # Create minimal Credentials object for userinfo API call
+                # expiry must be set so credentials.valid returns True
                 credentials = Credentials(
                     token=token,
                     token_uri="https://oauth2.googleapis.com/token",
                     client_id=self._client_id,
                     client_secret=self._client_secret,
+                    expiry=datetime.utcnow() + timedelta(seconds=SESSION_TIME),
                 )
 
                 # Validate token by calling userinfo API
@@ -95,8 +102,7 @@ class ExternalOAuthProvider(GoogleProvider):
                     access_token = WorkspaceAccessToken(
                         token=token,
                         scopes=scope_list,
-                        expires_at=int(time.time())
-                        + 3600,  # Default to 1-hour validity
+                        expires_at=int(time.time()) + SESSION_TIME,
                         claims={
                             "email": user_info["email"],
                             "sub": user_info.get("id"),