Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NBF tolerances are too tight for JWT #1439

Closed
sblackstone opened this issue Jun 5, 2022 · 2 comments
Closed

NBF tolerances are too tight for JWT #1439

sblackstone opened this issue Jun 5, 2022 · 2 comments
Labels
auth bug

Comments

@sblackstone
Copy link

sblackstone commented Jun 5, 2022
edited
Loading

Description

My computers clock was running 1 second ahead and that was enough to trigger NBF signature issues with the JWT code.

There should be atleast some tolerance in the NBF settings when decoding the JWT, e.g.

::JWT.decode(@token, secret, true, { nbf_leeway: 5, algorithm: "HS256" })

I'm running the normal Apple NTP settings, so this can happen to regular users.
@sblackstone sblackstone added the bug label Jun 5, 2022
sblackstone added a commit to sblackstone/shopify_app that referenced this issue Jun 5, 2022
@sblackstone
Introduce a 5s tolerance to NBF JWT claim validation
a5cf19d 
Fixes Shopify#1439
@sblackstone sblackstone mentioned this issue Jun 5, 2022
Closed
sblackstone added a commit to sblackstone/shopify_app that referenced this issue Jun 5, 2022
@sblackstone
Introduce a 5s tolerance to NBF JWT claim validation
4359454 
Fixes Shopify#1439
sblackstone added a commit to sblackstone/shopify_app that referenced this issue Jun 5, 2022
@sblackstone
Introduce a 5s tolerance to NBF JWT claim validation
377da5c 
Fixes Shopify#1439 / Shopify#1214
@andyw8 andyw8 added the auth label Aug 11, 2022
@nelsonwittwer
Copy link
Contributor

We noticed a similar problem and increased the JWT leeway to 10 seconds. We merged the fixed for the Ruby API gem yesterday. This will be included in the next release of the gem.

@sblackstone
Copy link
Author

sblackstone commented Aug 23, 2022
edited
Loading

@nelsonwittwer This gem currently has its own JWT handling and does not use the shopify_api gem.....

Are you guys updating the logic in here to use the shopify api gem? Otherwise my PR #1440 is still necessary.

lib/shopify_app/session/jwt.rb

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Introduce a 5s tolerance to NBF JWT claim validation sblackstone/shopify_app
3 participants
@andyw8 @sblackstone @nelsonwittwer