bug: refreshAccessTokenAutomatically ignores created_at and resets timer to full duration on page reload (Bug exists in new SDK)

[toan5ks1]

Description

I have verified that the legacy SPAHelper logic in the new @asgardeo/javascript SDK (specifically within @asgardeo/browser) contains a logic error regarding token auto-refresh limits.

The method refreshAccessTokenAutomatically calculates the refresh timer using only parseInt(sessionData.expires_in). Since expires_in is verifying to be the static duration (e.g. 3600), reloading the page effectively resets the timer to wait the full duration from the current time, ignoring how much time has already elapsed.

Location
packages/browser/src/legacy/helpers/spa-helper.ts
(Lines 46-51)

Steps to Reproduce

1. User logs in (Access Token valid for 30m).
2. User reloads page at T=15m.
3. SDK retrieves expires_in (30m) and sets a new timer for T=45m.
4. At T=30m, token expires. Auto-refresh fails to fire.

Please select the area the issue is related to

@asgardeo/react, @asgardeo/browser

Version

@asgardeo/react 0.10.0, @asgardeo/browser 0.2.5

Environment Details (with versions)

Browser

Reporter Checklist

• I have searched the existing issues and this is not a duplicate.
• I have provided all the necessary information.
• I have tested the issue on the latest version of the package.