From 11b70744857f3701f0cf5f9b79605685b6126e03 Mon Sep 17 00:00:00 2001
From: Oleksandr Bezdieniezhnykh <oleksandr.bezdieniezhnykh@pwc.com>
Date: Mon, 11 May 2026 23:47:26 +0300
Subject: [PATCH] [AZ-487] fix: integration-test JWT factory handles negative
 lifetime

Same fix as f64d0d7 applied to the integration tests' own copy of the
JWT mint helper. MintExpiredToken passes a negative lifetime which made
Expires < NotBefore and the JwtSecurityToken constructor rejected the
token before it could exercise lifetime-validation. Shift NotBefore
behind Expires for non-positive lifetimes.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 SatelliteProvider.IntegrationTests/JwtTestHelpers.cs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs b/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
index c49a7c3..5cf0f6d 100644
--- a/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
+++ b/SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
@@ -39,6 +39,10 @@ public static class JwtTestHelpers
         var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
 
         var now = DateTime.UtcNow;
+        var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
+        // JwtSecurityToken rejects Expires <= NotBefore. Shift NotBefore
+        // behind Expires for the expired-token test fixture.
+        var notBefore = expires <= now ? expires.AddMinutes(-5) : now;
         var claims = new List<Claim>
         {
             new(JwtRegisteredClaimNames.Sub, subject),
@@ -53,8 +57,8 @@ public static class JwtTestHelpers
             issuer: null,
             audience: null,
             claims: claims,
-            notBefore: now,
-            expires: now.Add(lifetime ?? TimeSpan.FromHours(1)),
+            notBefore: notBefore,
+            expires: expires,
             signingCredentials: credentials);
 
         return new JwtSecurityTokenHandler().WriteToken(token);