Switch to shttp transport

2026-02-25 19:30:58 +00:00
parent 73fb20553d
commit 58d777754f
4 changed files with 29 additions and 15 deletions
--- a/src/va_agent/auth.py
+++ b/src/va_agent/auth.py
@@ -1,6 +1,6 @@
 """ID-token auth for Cloud Run → Cloud Run calls."""

-import threading
+import logging
 import time

 from google.adk.agents.readonly_context import ReadonlyContext
@@ -10,18 +10,33 @@ from google.oauth2 import id_token

 from va_agent.config import settings

-_REFRESH_MARGIN = 300  # refresh 5 min before expiry
+logger = logging.getLogger(__name__)
+
+_REFRESH_MARGIN = 900  # refresh 15 min before expiry

-_lock = threading.Lock()
 _token: str | None = None
 _token_exp: float = 0.0


+def _fetch_token() -> tuple[str, float]:
+    """Fetch a fresh ID token (blocking I/O)."""
+    tok = id_token.fetch_id_token(GAuthRequest(), settings.mcp_audience)
+    exp = jwt.decode(tok, verify=False)["exp"]
+    return tok, exp
+
+
 def auth_headers_provider(_ctx: ReadonlyContext | None = None) -> dict[str, str]:
-    """Return Authorization headers with a cached ID token."""
-    global _token, _token_exp  # noqa: PLW0603
-    with _lock:
-        if _token is None or time.time() >= _token_exp - _REFRESH_MARGIN:
-            _token = id_token.fetch_id_token(GAuthRequest(), settings.mcp_audience)
-            _token_exp = jwt.decode(_token, verify=False)["exp"]
-    return {"Authorization": f"Bearer {_token}"}
+    """Return Authorization headers, refreshing the cached token when needed.
+
+    With Streamable HTTP transport every tool call is a fresh HTTP
+    request, so returning a valid token here is sufficient — no
+    background refresh loop required.
+    """
+    global _token, _token_exp
+
+    if _token is not None and time.time() < _token_exp - _REFRESH_MARGIN:
+        return {"Authorization": f"Bearer {_token}"}
+
+    tok, exp = _fetch_token()
+    _token, _token_exp = tok, exp
+    return {"Authorization": f"Bearer {tok}"}