Open
@mjcheetham

Description

Right now GCM Core always returns any stored credentials for a request without any validation.

We cannot ever 100% validate that a credential is "good" for the particular Git command/request because the remote Git server can reject the credentials based on the content of the pack during a push, for example.

We can however validate if a stored a credential is expired or not, such as a PAT or OAuth JWT token that have expiration dates.

To do this we need to extend the credential store API and platform implementations to support reading/writing expiry metadata.

In the event the metadata is missing or the credentials have no expiry we should optimistically return them - assume they are good. This would mean we only reject definitely bad credentials (expired) and avoid false negatives.