Skip to content

[OPS] Add token expiry warning mechanism (defense in depth) #60

Open
Open
[OPS] Add token expiry warning mechanism (defense in depth)#60
Labels
needs-triageopsphase-2
@artcava

Description

@artcava
artcava
opened on Mar 30, 2026

Overview

Add a secondary safety mechanism that proactively warns 15 days before the LinkedIn refresh_token expires (365-day TTL). This acts as a fallback in case the auto-refresh function (#58) itself fails silently over multiple months.

Depends on: #58

Tasks

  • When LinkedInTokenRefresherFunction successfully stores a new refresh_token, tag the Key Vault secret with the expiry date:
var secret = new KeyVaultSecret("LinkedInRefreshToken", newRefreshToken);
secret.Properties.ExpiresOn = DateTimeOffset.UtcNow.AddDays(365);
await secretClient.SetSecretAsync(secret);
  • Create a new TimerTrigger function LinkedInTokenExpiryWarningFunction that runs weekly (0 0 9 * * 1) and:
    • Reads the ExpiresOn property of LinkedInRefreshToken from Key Vault
    • If expiry is within 15 days: logs LogWarning with message "LinkedIn refresh token expires in {days} days. Manual re-authorization required."
  • The warning log triggers the existing alert rule from [OPS] Add Application Insights alert for LinkedIn token refresh failures #59 (severityLevel >= 3)

Acceptance Criteria

  • Warning log appears in Application Insights when refresh token is within 15 days of expiry
  • No warning when token is healthy
  • Alert email received when warning is triggered

Notes

  • This is a defense-in-depth measure — under normal operation (monthly auto-refresh working correctly) this function should never fire a warning
  • Weekly check is sufficient given the 15-day warning window

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageopsphase-2

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions