fix: properly set token_expiry_is_time_of_expiration and mask access token when logging

airbyte_cdk/sources/declarative/parsers/model_to_component_factory.py

@@ -2801,6 +2801,7 @@ def create_oauth_authenticator(
                 ).eval(config),
                 scopes=model.scopes,
                 token_expiry_date_format=model.token_expiry_date_format,
+                token_expiry_is_time_of_expiration=bool(model.token_expiry_date_format),
                 message_repository=self._message_repository,
                 refresh_token_error_status_codes=model.refresh_token_updater.refresh_token_error_status_codes,
                 refresh_token_error_key=model.refresh_token_updater.refresh_token_error_key,

airbyte_cdk/sources/streams/http/requests_native_auth/abstract_oauth.py

@@ -217,10 +217,33 @@ def _make_handled_request(self) -> Any:
                 data=self.build_refresh_request_body(),
                 headers=self.build_refresh_request_headers(),
             )
+
+            response_json = None
+            json_exception = None
+            try:
+                response_json = response.json()
+            except Exception as e:
+                # if the json could not be parsed, save the exception to raise it later
+                json_exception = e
+
+            try:
+                if response_json:
+                    # extract the access token and add to secrets to avoid logging the raw value
+                    access_key = self._extract_access_token(response_json)
+                    if access_key:
+                        add_to_secrets(access_key)
+            except ResponseKeysMaxRecurtionReached as e:
+                # could not find the access token in the response, so do nothing
+                pass
+
             # log the response even if the request failed for troubleshooting purposes
             self._log_response(response)
             response.raise_for_status()
-            return response.json()
+
+            if json_exception:
+                raise json_exception
+
+            return response_json
         except requests.exceptions.RequestException as e:
             if e.response is not None:
                 if e.response.status_code == 429 or e.response.status_code >= 500:
@@ -240,9 +263,7 @@ def _ensure_access_token_in_response(self, response_data: Mapping[str, Any]) ->
 
         This method attempts to extract the access token from the provided response data.
         If the access token is not found, it raises an exception indicating that the token
-        refresh API response was missing the access token. If the access token is found,
-        it adds the token to the list of secrets to ensure it is replaced before logging
-        the response.
+        refresh API response was missing the access token.
 
         Args:
             response_data (Mapping[str, Any]): The response data from which to extract the access token.
@@ -257,9 +278,6 @@ def _ensure_access_token_in_response(self, response_data: Mapping[str, Any]) ->
                 raise Exception(
                     f"Token refresh API response was missing access token {self.get_access_token_name()}"
                 )
-            # Add the access token to the list of secrets so it is replaced before logging the response
-            # An argument could be made to remove the prevous access key from the list of secrets, but unmasking values seems like a security incident waiting to happen...
-            add_to_secrets(access_key)
         except ResponseKeysMaxRecurtionReached as e:
             raise e