fix(profile-server): ensure profileChangedAt is included in assertion JWT for cache invalidation

[lmorchard]

issue #2206

[rfk]

Nice catch! I expect you will need to update the tests in test/local/oauthdb.js for completeness.

[lmorchard]

Okay, so I'm digging around in bits that I don't quite fully understand here.

I noticed that profile-server is looking for creds.profile_changed_at to decide whether to invalidate cached profile data. However, when I threw in some log statements, it appeared that profile_changed_at is always missing from creds, so it seems like this cache invalidation never happens.

Tracing clumsily back through the code with log statements, it looks like fxa-profileChangedAt isn't added in makeAssertionJWT. I added it, and profile_changed_at now appears in creds in profile-server, and the cache invalidation actually happens now.

This seems to simple of a fix for issue #2206, but maybe this is it? Could use some sanity checks as to what I just did here :)

[lmorchard]

Nice catch! I expect you will need to update the tests in test/local/oauthdb.js for completeness.

Oh, yeah, will need to update the tests... I wanted to get this out in PR form if only to see if I'm completely barking up the wrong tree and mucking with bits beyond my ken :)

[rfk]

I think this probably explains it TBH; the kind of "backdoor" assertion that's being used here to talk directly to oauth-server has diverged from the schema of assertions generated by ./lib/signer.js. The fix here is 100% correct and required.

[rfk]

(A broader follow-up might look into refactoring to avoid code duplicating between the code here and the code in ./lib/signer.js)

[lmorchard]

Quick update to add the profileChangedAt claim in oauthdb test

[rlr]

amazing \o/

[rfk]

An r+ for the PR, and an A+ for the detective work; great find!