minor: address emily's non-blocking comments on #9411

david-crespo · david-crespo · commit 042417c143a7 · 2025-11-18T10:10:39.000-06:00
diff --git a/nexus/auth/src/authn/external/session_cookie.rs b/nexus/auth/src/authn/external/session_cookie.rs
@@ -396,13 +396,7 @@ mod test {
             }]),
         };
         let result = authn_with_cookie(&context, Some("session=abc")).await;
-        assert!(matches!(
-            result,
-            SchemeResult::Authenticated(Details {
-                actor: _,
-                device_token_expiration: _
-            })
-        ));
+        assert!(matches!(result, SchemeResult::Authenticated(Details { .. })));
 
         // valid cookie should have updated time_last_used
         let sessions = context.sessions.lock().unwrap();
diff --git a/nexus/src/app/device_auth.rs b/nexus/src/app/device_auth.rs
@@ -142,32 +142,32 @@ impl super::Nexus {
             // token is being used)
 
             // Validate the requested TTL against the silo's max TTL
-            if let Some(max) = silo_max_ttl {
-                if requested_ttl > max.0.into() {
-                    return Err(Error::invalid_request(&format!(
-                        "Requested TTL {} seconds exceeds maximum allowed \
-                         TTL for this silo of {} seconds",
-                        requested_ttl, max
-                    )));
-                }
+            if let Some(max) = silo_max_ttl
+                && requested_ttl > max.0.into()
+            {
+                return Err(Error::invalid_request(&format!(
+                    "Requested TTL {} seconds exceeds maximum allowed \
+                     TTL for this silo of {} seconds",
+                    requested_ttl, max
+                )));
             };
 
             let requested_exp =
                 Utc::now() + Duration::seconds(requested_ttl.0.into());
 
             // If currently authenticated via token, error if requested exceeds it
-            if let Some(auth_exp) = opctx.authn.device_token_expiration() {
-                if requested_exp > auth_exp {
-                    return Err(Error::invalid_request(
-                        "Requested token TTL would exceed the expiration time \
-                         of the token being used to authenticate the confirm \
-                         request. To get the full requested TTL, confirm \
-                         this token using a web console session. Alternatively, \
-                         omit requested TTL to get a token with the longest \
-                         allowed lifetime, determined by the lesser of the silo \
-                         max and the current token's expiration time.",
-                    ));
-                }
+            if let Some(auth_exp) = opctx.authn.device_token_expiration()
+                && requested_exp > auth_exp
+            {
+                return Err(Error::invalid_request(
+                    "Requested token TTL would exceed the expiration time \
+                     of the token being used to authenticate the confirm \
+                     request. To get the full requested TTL, confirm \
+                     this token using a web console session. Alternatively, \
+                     omit requested TTL to get a token with the longest \
+                     allowed lifetime, determined by the lesser of the silo \
+                     max and the current token's expiration time.",
+                ));
             }
 
             Some(requested_exp)
diff --git a/nexus/tests/integration_tests/device_auth.rs b/nexus/tests/integration_tests/device_auth.rs
@@ -704,7 +704,6 @@ async fn test_device_token_cannot_extend_expiration(
         testctx,
         session_auth_response.device_code,
         client_id,
-        AuthnMode::Session(session_token.clone()),
     )
     .await;
 
@@ -746,7 +745,6 @@ async fn test_device_token_cannot_extend_expiration(
         testctx,
         session_auth_response2.device_code,
         client_id,
-        AuthnMode::Session(session_token),
     )
     .await;
 
@@ -788,13 +786,9 @@ async fn test_device_token_cannot_extend_expiration(
     .expect("failed to confirm initial token");
 
     // Fetch the initial token
-    let initial_token_grant = fetch_device_token(
-        testctx,
-        auth_response_1.device_code,
-        client_id,
-        AuthnMode::PrivilegedUser,
-    )
-    .await;
+    let initial_token_grant =
+        fetch_device_token(testctx, auth_response_1.device_code, client_id)
+            .await;
 
     let initial_token = initial_token_grant.access_token;
     let initial_expiration = initial_token_grant.time_expires.unwrap();
@@ -1130,7 +1124,6 @@ async fn fetch_device_token(
     testctx: &ClientTestContext,
     device_code: String,
     client_id: Uuid,
-    authn_mode: AuthnMode,
 ) -> DeviceAccessTokenGrant {
     NexusRequest::new(
         RequestBuilder::new(testctx, Method::POST, "/device/token")
@@ -1143,7 +1136,6 @@ async fn fetch_device_token(
             }))
             .expect_status(Some(StatusCode::OK)),
     )
-    .authn_as(authn_mode)
     .execute_and_parse_unwrap::<DeviceAccessTokenGrant>()
     .await
 }
