fix: correct issuedAtTime in JWT cool-off period test

[Copilot]

The test shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodNotExpired was failing because issuedAtTime was set 1 minute in the past, causing the module's cool-off logic to trigger a cookie refresh — violating the verifyZeroInteractions(response) assertion.

Change

• ServletJwtSessionModuleTest.java: Change issuedAtTime offset from -1 minute to -5 seconds so the JWT is considered fresh and no cookie refresh occurs.

// Before
calendar.add(Calendar.MINUTE, -1);

// After
calendar.add(Calendar.SECOND, -5);

This makes the test properly complementary to shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodExpired, which uses -1 minute - 5 seconds and expects a cookie refresh.

Original prompt

Failing Test

The CI build is failing on the test shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodNotExpired in ServletJwtSessionModuleTest.java.

Build run: https://github.com/OpenIdentityPlatform/commons/actions/runs/23912306875/job/69737183389

Error:

org.mockito.exceptions.verification.NoInteractionsWanted:
No interactions wanted here:
-> at ...ServletJwtSessionModuleTest.shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodNotExpired(ServletJwtSessionModuleTest.java:525)
But found this interaction on mock 'Mock for HttpServletResponse':
-> at org.forgerock.caf.http.Cookie.addCookie(Cookie.java:332)

Root Cause

In the test at line 525, verifyZeroInteractions(response) asserts that the HttpServletResponse mock should have no interactions. However, the production code in Cookie.addCookie() (Cookie.java line 332) calls resp.addCookie(cookie.cookie) on the response — meaning the JWT is being rebuilt and the cookie is being reset even though the cool-off period has supposedly not expired.

The issue is that the test sets issuedAtTime to 1 minute ago (lines 492-495):

calendar.setTime(new Date());
calendar.set(Calendar.MILLISECOND, 0);
calendar.add(Calendar.MINUTE, -1);
Date issuedAtTime = calendar.getTime();

This causes the module's cool-off period logic to consider the JWT old enough to warrant refreshing the cookie — which triggers a Cookie.addCookie() call on the response, violating the verifyZeroInteractions(response) assertion.

Fix

In the file commons/auth-filters/authn-filter/jaspi-modules/jwt-session-module/src/test/java/org/forgerock/jaspi/modules/session/jwt/ServletJwtSessionModuleTest.java, change lines 492-495 from:

calendar.setTime(new Date());
calendar.set(Calendar.MILLISECOND, 0);
calendar.add(Calendar.MINUTE, -1);
Date issuedAtTime = calendar.getTime();

to:

calendar.setTime(new Date());
calendar.set(Calendar.MILLISECOND, 0);
calendar.add(Calendar.SECOND, -5);
Date issuedAtTime = calendar.getTime();

This sets the issued-at time to only 5 seconds ago (instead of 1 minute), so the cool-off period is truly not expired, and no cookie refresh/response interaction occurs.

Note that the companion test shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodExpired correctly sets the issued-at time further in the past (calendar.add(Calendar.MINUTE, -1) plus calendar.add(Calendar.SECOND, -5)) and expects the response to be interacted with. The fix makes the two tests properly complementary.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant:

I'll start by fetching the job logs and the workflow definition to understand the failure.

Assistant: The build fails due to a single test failure:

ServletJwtSessionModuleTest.shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodNotExpired (line 525)

The error is:

No interactions wanted on Mock for HttpServletResponse, but an unexpected interaction was found at org.forgerock.caf.http.Cookie.addCookie(Cookie.java:332).

This means the test expects no interactions with the HttpServletResponse mock, but the code is calling addCookie() on it when it shouldn't be (during the "cool-off period not expired" scenario). Let me look at the test and the Cookie.addCookie method.

Assistant: ## Failing Test Analysis

The build fails on the test shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodNotExpired at line 525 in ServletJwtSessionModuleTest.java:

No interactions wanted here:
-> at ...ServletJwtSessionModuleTest.shouldValidateRequestWhenJwtSessionCookiePresentAndValidCoolOffPeriodNotExpired(ServletJwtSessionModuleTest.java:525)
But found this interaction on mock 'Mock for HttpServletResponse, hashCode: 1633013890':
-> at org.forgerock.caf.http.Cookie.addCookie(Cookie.java:332)

Root Cause

The test at line 525 asserts verifyZeroInteractions(response), expecting no interactions with the HttpServletResponse mock. However, the production code in Cookie.addCookie() calls resp.addCookie(cookie.cookie) on the response — meaning the JWT is being rebuilt and the cookie is ...

This pull request was created from Copilot chat.