fix: implement OAuth token expiry tracking in Bulk CDK OAuthAuthenticator [Hubspot Destination] (#74728)

devin-ai-integration[bot] · bot_apk · pedroslopez · web-flow · commit 0834beb4000c · 2026-04-14T17:36:00.000-07:00
Co-authored-by: Devin AI &lt;158243242+devin-ai-integration[bot]@users.noreply.github.com&gt;
Co-authored-by: bot_apk &lt;apk@cognition.ai&gt;
Co-authored-by: Pedro Lopez &lt;pedroslopez@me.com&gt;
diff --git a/airbyte-cdk/bulk/core/load/changelog.md b/airbyte-cdk/bulk/core/load/changelog.md
@@ -9,6 +9,7 @@ The Load CDK provides functionality for destination connectors including stream-
 
 | Version | Date       | Pull Request | Subject                                                                                         |
 |---------|------------|--------------|-------------------------------------------------------------------------------------------------|
+| 1.0.8   | 2026-04-14 | [#74728](https://github.com/airbytehq/airbyte/pull/74728) | Fix OAuthAuthenticator to track token expiry via `expires_in` and refresh expired tokens. |
 | 1.0.7   | 2026-03-27 | | Fix: update Iceberg sort order before schema evolution to prevent ValidationException when deleting columns referenced by the sort order. Handles Dedupe-to-Append mode switches and PK changes. |
 | 1.0.6   | 2026-03-12 | [#74715](https://github.com/airbytehq/airbyte/pull/74715) | Fix: drop temp table after successful upsert to prevent duplicate records across syncs. |
 | 1.0.5   | 2026-03-10 | [#74723](https://github.com/airbytehq/airbyte/pull/74723) | Fix schema evolution: defer identifier field update when replacing columns to avoid Iceberg conflict. |
diff --git a/airbyte-cdk/bulk/core/load/version.properties b/airbyte-cdk/bulk/core/load/version.properties
@@ -1 +1 @@
-version=1.0.7
+version=1.0.8
diff --git a/airbyte-cdk/bulk/toolkits/load-http/src/main/kotlin/io/airbyte/cdk/load/http/authentication/OAuthAuthenticator.kt b/airbyte-cdk/bulk/toolkits/load-http/src/main/kotlin/io/airbyte/cdk/load/http/authentication/OAuthAuthenticator.kt
@@ -14,6 +14,8 @@ import io.airbyte.cdk.load.http.decoder.JsonDecoder
 import io.airbyte.cdk.load.http.okhttp.AirbyteOkHttpClient
 import io.micronaut.http.HttpHeaders
 import java.lang.IllegalStateException
+import java.time.Clock
+import java.time.Instant
 import okhttp3.Interceptor
 import okhttp3.OkHttpClient
 import okhttp3.Response as OkHttpResponse
@@ -23,18 +25,21 @@ class OAuthAuthenticator(
     private val clientId: String,
     private val clientSecret: String,
     private val refreshToken: String,
-    private val httpClient: HttpClient = AirbyteOkHttpClient(OkHttpClient.Builder().build())
+    private val httpClient: HttpClient = AirbyteOkHttpClient(OkHttpClient.Builder().build()),
+    private val clock: Clock = Clock.systemUTC()
 ) : Interceptor {
     object Constants {
         const val CLIENT_ID_FIELD_NAME: String = "client_id"
         const val CLIENT_SECRET_FIELD_NAME: String = "client_secret"
         const val GRANT_TYPE_FIELD_NAME: String = "grant_type"
         const val GRANT_TYPE: String = "refresh_token"
         const val REFRESH_TOKEN_FIELD_NAME: String = "refresh_token"
+        const val EXPIRY_BUFFER_SECONDS: Long = 60
     }
 
     private val decoder: JsonDecoder = JsonDecoder()
     private var accessToken: String? = null
+    private var tokenExpiresAt: Instant? = null
 
     override fun intercept(chain: Interceptor.Chain): OkHttpResponse {
         if (needToQueryAccessToken()) {
@@ -55,8 +60,8 @@ class OAuthAuthenticator(
     }
 
     private fun isTokenExpired(): Boolean {
-        return false // TODO as we only supports Salesforce today, the token is keep active until
-        // there is no activity for a while which should not happen in our context
+        val expiresAt = tokenExpiresAt ?: return false
+        return Instant.now(clock).isAfter(expiresAt.minusSeconds(Constants.EXPIRY_BUFFER_SECONDS))
     }
 
     /**
@@ -92,6 +97,11 @@ class OAuthAuthenticator(
     }
 
     private fun refreshAccessToken() {
-        accessToken = queryForAccessToken().get("access_token").asText()
+        val tokenResponse = queryForAccessToken()
+        accessToken = tokenResponse.get("access_token").asText()
+        val expiresInNode = tokenResponse.get("expires_in")
+        if (expiresInNode != null && expiresInNode.isNumber) {
+            tokenExpiresAt = Instant.now(clock).plusSeconds(expiresInNode.asLong())
+        }
     }
 }
diff --git a/airbyte-cdk/bulk/toolkits/load-http/src/test/kotlin/io/airbyte/cdk/load/http/authentication/OAuthAuthenticatorTest.kt b/airbyte-cdk/bulk/toolkits/load-http/src/test/kotlin/io/airbyte/cdk/load/http/authentication/OAuthAuthenticatorTest.kt
@@ -10,6 +10,9 @@ import io.micronaut.http.HttpHeaders
 import io.mockk.every
 import io.mockk.mockk
 import io.mockk.verify
+import java.time.Clock
+import java.time.Instant
+import java.time.ZoneId
 import kotlin.test.assertFailsWith
 import okhttp3.Interceptor
 import okhttp3.Request
@@ -67,6 +70,84 @@ class OAuthAuthenticatorTest {
         verify(exactly = 1) { httpClient.send(any()) }
     }
 
+    @Test
+    internal fun `test given token with expires_in when token expires then refresh token`() {
+        val fixedInstant = Instant.parse("2026-01-01T00:00:00Z")
+        val clock = Clock.fixed(fixedInstant, ZoneId.of("UTC"))
+        val authWithClock =
+            OAuthAuthenticator(
+                A_ENDPOINT,
+                A_CLIENT_ID,
+                A_CLIENT_SECRET,
+                A_REFRESH_TOKEN,
+                httpClient,
+                clock
+            )
+
+        val originalRequest: Request = mockk()
+        val chain: Interceptor.Chain = mockChain(originalRequest)
+        mockBuilder(originalRequest)
+        mockCallWithExpiresIn(1800) // 30 minutes
+
+        // First call fetches the token
+        authWithClock.intercept(chain)
+        verify(exactly = 1) { httpClient.send(any()) }
+
+        // Second call within expiry window should not refresh
+        authWithClock.intercept(chain)
+        verify(exactly = 1) { httpClient.send(any()) }
+    }
+
+    @Test
+    internal fun `test given expired token when performing a request then refresh token`() {
+        val startInstant = Instant.parse("2026-01-01T00:00:00Z")
+        // Token expires in 1800s (30 min), buffer is 60s, so expired at startInstant + 1740s
+        val expiredInstant = startInstant.plusSeconds(1800)
+        val mutableClock = mockk<Clock>()
+        every { mutableClock.instant() } returns startInstant
+        every { mutableClock.zone } returns ZoneId.of("UTC")
+
+        val authWithClock =
+            OAuthAuthenticator(
+                A_ENDPOINT,
+                A_CLIENT_ID,
+                A_CLIENT_SECRET,
+                A_REFRESH_TOKEN,
+                httpClient,
+                mutableClock
+            )
+
+        val originalRequest: Request = mockk()
+        val chain: Interceptor.Chain = mockChain(originalRequest)
+        mockBuilder(originalRequest)
+        mockCallWithExpiresIn(1800)
+
+        // First call fetches the token
+        authWithClock.intercept(chain)
+        verify(exactly = 1) { httpClient.send(any()) }
+
+        // Advance time past expiry
+        every { mutableClock.instant() } returns expiredInstant
+
+        // Second call should refresh because token is expired
+        authWithClock.intercept(chain)
+        verify(exactly = 2) { httpClient.send(any()) }
+    }
+
+    @Test
+    internal fun `test given no expires_in in response when performing requests then do not refresh`() {
+        val originalRequest: Request = mockk()
+        val chain: Interceptor.Chain = mockChain(originalRequest)
+        mockBuilder(originalRequest)
+        mockCall() // no expires_in in response
+
+        authenticator.intercept(chain)
+        authenticator.intercept(chain)
+
+        // Without expires_in, token is never considered expired (backward compatible)
+        verify(exactly = 1) { httpClient.send(any()) }
+    }
+
     @Test
     internal fun `test given status is not 2XX when performing a request then raise`() {
         val originalRequest: Request = mockk()
@@ -91,6 +172,20 @@ class OAuthAuthenticatorTest {
         every { httpClient.send(any()) } returns (oauthResponse)
     }
 
+    private fun mockCallWithExpiresIn(expiresIn: Int) {
+        every { httpClient.send(any()) } answers
+            {
+                val oauthResponse: Response = mockk<Response>()
+                every { oauthResponse.statusCode } returns 200
+                every { oauthResponse.body } returns
+                    "{\"access_token\":\"${AN_ACCESS_TOKEN}\",\"expires_in\":$expiresIn}".byteInputStream(
+                        Charsets.UTF_8
+                    )
+                every { oauthResponse.close() } returns Unit
+                oauthResponse
+            }
+    }
+
     private fun mockBuilder(originalRequest: Request): Request.Builder {
         val builder: Request.Builder = mockk()
         every { builder.addHeader(any(), any()) } returns (builder)
