From b4ea791410db23b236fd71c6b8d1414fa497f673 Mon Sep 17 00:00:00 2001
From: Christian Oudard <ChristianOudard@pm.me>
Date: Fri, 20 Sep 2024 15:45:37 -0600
Subject: [PATCH] Review notes.

---
 knox/auth.py   | 8 +++++++-
 tests/tests.py | 4 ++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/knox/auth.py b/knox/auth.py
index d574c5b..8dd4c80 100644
--- a/knox/auth.py
+++ b/knox/auth.py
@@ -1,5 +1,6 @@
 import binascii
 from hmac import compare_digest
+import logging
 
 from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
@@ -14,6 +15,9 @@
 from knox.signals import token_expired
 
 
+logger = logging.getLogger(__name__)
+
+
 class TokenAuthentication(BaseAuthentication):
     '''
     This authentication scheme uses Knox AuthTokens for authentication.
@@ -78,7 +82,9 @@ def renew_token(self, auth_token) -> None:
         # Do not auto-renew tokens past AUTO_REFRESH_MAX_TTL.
         if knox_settings.AUTO_REFRESH_MAX_TTL is not None:
             max_expiry = auth_token.created + knox_settings.AUTO_REFRESH_MAX_TTL
-            new_expiry = min(new_expiry, max_expiry)
+            if new_expiry > max_expiry:
+                new_expiry = max_expiry
+                logger.info('Token renewal truncated due to AUTO_REFRESH_MAX_TTL.')
 
         auth_token.expiry = new_expiry
 
diff --git a/tests/tests.py b/tests/tests.py
index 0d6f151..b91e8ec 100644
--- a/tests/tests.py
+++ b/tests/tests.py
@@ -347,6 +347,10 @@ def test_token_expiry_is_not_extended_past_max_ttl(self):
                          "Expiry time should have been extended to {} but is {}."
                          .format(expected_expiry, new_expiry))
 
+        with freeze_time(expected_expiry + timedelta(seconds=1)):
+            response = self.client.get(root_url, {}, format='json')
+            self.assertEqual(response.status_code, 401)
+
     def test_expiry_signals(self):
         self.signal_was_called = False