expiry test for tokens running off local time, not auth time

[coderdecoder]

If you look in your check expiry function you'll see that you're using time.time() to get the local server time, then evaluating that against the expiry. This is not correct as if you're running the webserver in a different timezone the times will no longer line up.

To correct this I think what is needed is to log time.time() when the request is made internally to create an offset and evaluate based off this.

[coderdecoder]

Here is my local solution, I'm not sure where you'd like to store the value or I'd implement it myself and push it. When I get/refresh my tokens I log the local time.

    session['cognito_token_time'] = time.time()

Use test mode and apply the offeset if any:

#if token is expiring soon refresh and re-decode-verify
expiring_in = verified_claims['exp'] - time.time() - (verified_claims['auth_time'] - session['cognito_token_time'])
if(expiring_in < 0):
    raise Exception('Token is expired')