Remove IAT from server side token.

[vagruchi]

Summary by CodeRabbit

• Bug Fixes

  • Token issuance now tolerates small clock differences by allowing the issued-at (iat) to be omitted or set slightly earlier (5 seconds), reducing false token validation failures.

• Tests

  • Updated token expiration assertions to match the adjusted issuance timing so test expectations align with runtime behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Sets JWT issued-at (iat) to current time minus 5 seconds when creating tokens; token builder now accepts an optional iat and omits the claim when not provided. Tests updated to expect exp relative to the shifted iat.

Changes

Cohort / File(s)	Summary
Token issuance clock skew mitigation getstream/stream.py	_create_token signature adds optional iat; claims now include iat only when provided. create_token and create_call_token pass iat = now - 5 instead of always using current time.
Tests updated for skewed iat tests/test_video_integration.py	Adjusts expected exp assertion to account for 5-second earlier iat (asserts exp == iat + 5 + 10).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Areas to check:
  • Correct propagation and conditional inclusion of iat in _create_token.
  • Consistency of iat = now - 5 usage and potential test flakiness due to timing.
  • Any other callers of _create_token or token consumers that might rely on previous iat semantics.

Poem

🐇 I hopped five seconds into the past,
To make our tokens sync and last,
Little clocks that drift and roam,
A tiny nudge brings them back home,
🕰️✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	⚠️ Warning	The PR title claims to 'Remove IAT from server side token', but the actual changes add configurable IAT support with a 5-second leeway, rather than removing it entirely.	Update the title to accurately reflect the changes, such as 'Add 5-second leeway to token IAT' or 'Make token IAT configurable with leeway', which aligns with the PR objectives and actual implementation.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-leeway-to-token-iat

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 66ffc79 and b9068d2.

📒 Files selected for processing (1)

• getstream/stream.py (1 hunks)

🧰 Additional context used

🪛 GitHub Actions: CI

getstream/stream.py

[error] 1-1: Token expiration calculation off by 5 seconds for expiration=10; decoded exp != iat + expiration. Potential clock skew handling issue.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/test_video_integration.py (1)

65-66: Expiration assertion matches new leeway semantics; consider tightening the comment

The assertion decoded["exp"] == decoded["iat"] + 5 + 10 correctly encodes “5s leeway + 10s expiration” given the new backdated iat behavior, so the test is aligned with the intended change.

If you want to make the intent a bit clearer for future readers, you could tweak the comment like this (no behavior change):

-    # 5 seconds to avoid clock skew and 10 seconds - expiration
-    assert decoded["exp"] == decoded["iat"] + 5 + 10
+    # exp should be 15s after iat: 5s leeway + 10s expiration
+    assert decoded["exp"] == decoded["iat"] + 5 + 10

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b9068d2 and 8f5d916.

📒 Files selected for processing (1)

• tests/test_video_integration.py (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Tests (3.11)
• GitHub Check: Tests (3.13)
• GitHub Check: Tests (3.12)
• GitHub Check: Tests (3.10)