Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed iat error of 1 second earlier #21

Merged
merged 3 commits into from
Dec 29, 2024
Merged

fixed iat error of 1 second earlier #21

merged 3 commits into from
Dec 29, 2024

Conversation

HiraiKyo
Copy link
Contributor

Error I encountered

I have encountered an issue with token verification where the iat claim is consistently 1 second ahead of the calculated current timestamp, resulting in verification errors.

Decoding Firebase ID token failed. Make sure you passed the entire string JWT
  which represents an ID token. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for
  details on how to retrieve an ID token. err: Error: Incorrect "iat" claim must be a older than
  "1718141274" (iat: "1718141275")

Solution

I do not know the reason why, but I guess there is an calculation mismatch under 1000ms.
I tested in my environment and figured out that Math.ceil fixes this problem to round the timestamp.

Justification

Honestly I do not know whether iat verification should be strict or not, however, I found that the same error is previously discussed on this Python repository and PR got merged.
firebase/firebase-admin-python#714
So IMO there is no reason to be strict and Math.ceil is somewhat valid solution.

Perhaps this error should be fixed comprehensively by adding clockSkewInSeconds args.

@HiraiKyo HiraiKyo changed the title fixed iat error of 1 seconds diff fixed iat error of 1 second earlier Jun 12, 2024
@Code-Hex
Copy link
Owner

Code-Hex commented Jul 8, 2024

@HiraiKyo Thanks for making PR!
Could you add test for this?

@HiraiKyo
Copy link
Contributor Author

@Code-Hex Thanks for the response!
I am facing two problems currently and I am wondering how to fix and write tests.

  1. What causes this 1 second iat difference in my dev environment, and this is not always. Math.ceil reduced the occurency but not fixed completely.
  2. This repository is bypassed by @hono/firebse-auth middleware, and should I also send PR to both repos to add clockSkewSeconds args.

Problem 1. bothers me how to write test, and Problem 2. leads me think some another solution.

How to do you think?

@hls-app
Copy link

hls-app commented Dec 26, 2024

Any updates on this?

Noticed another fork that seems to solve this issue in a different approach

https://github.com/MIERUNE/firebase-auth-cloudflare-workers-x509

@Code-Hex would appreciate merging the right approach.

@hls-app hls-app mentioned this pull request Dec 27, 2024
Closed
@Code-Hex
Copy link
Owner

@HiraiKyo I'm sorry for late response.
Looks good to me. let's go

@Code-Hex Code-Hex merged commit 831bbca into Code-Hex:main Dec 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@HiraiKyo @Code-Hex @hls-app