MSC4108 2024 version (Sign in with QR code): clock desynchronisation between client and homeserver causes rendezvous session to be immediately deleted and the login to fail

[reivilibre]

As diagnosed with a community member in the MAS room.

The root cause is that the HTTP Expires header is being read for an absolute timestamp, yet the client and server may have desynchronised clocks.

If the server is a minute or more slower than the client, the rendezvous session will be immediately DELETEd causing the sign-in to fail.

I'm told that Element X shows the error 'Something went wrong An unexpected error occurred. Please try again' in this case.

This section of code appears to be at fault:

matrix-js-sdk/src/rendezvous/transports/MSC4108RendezvousSession.ts

Lines 154 to 164 in b3fedf3

	const expires = res.headers.get("expires");
	if (expires) {
	if (this.expiresTimer) {
	clearTimeout(this.expiresTimer);
	this.expiresTimer = undefined;
	}
	this.expiresAt = new Date(expires);
	this.expiresTimer = setTimeout(() => {
	this.expiresTimer = undefined;
	this.cancel(ClientRendezvousFailureReason.Expired);
	}, this.expiresAt.getTime() - Date.now());

[t3chguy]

I think the MSC should state how clients must handle this

[reivilibre]

I think the MSC should state how clients must handle this

yup, I raised as a concern on MSC4388 which I understand is intended to replace (this part of) MSC4108: matrix-org/matrix-spec-proposals#4388 (comment)

This ticket is really just here in case anyone needs to search for it.

[reivilibre]

If we needed to fix this right now before the new MSC replaces it, one approach would just be to remove all the client-side expiry logic — the server will expire the rendezvous session itself, no need to cancel the session on a timer.
In that case, cancel would only be used if the user pressed the cancel button themselves.