Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued #967

Closed
mfix22 opened this issue Jul 16, 2019 · 9 comments

Comments

@mfix22
Copy link
Contributor

commented Jul 16, 2019

Bug Report

Current Behavior
When running the Probot app locally, I get the following error on startup:

ERROR probot: 'Issued at' claim ('iat') must be an Integer representing the time that the assertion was issued

even though the JWT being sent is valid: https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1NjMzMDU3MDcsImV4cCI6MTU2MzMwNjI3NywiaXNzIjoiMTEzODAifQ.Pn3Y7kdyYMpOUDuHUlEKErYApxXGmQR9_0--SUo4VUbgMW4_r9_63Lj0q6J07JeAcJ5XWHpauD4SaBerAjOQMgx3xNfLhE0MpzCYnOSYfS7nCBOz0qB26wLef-0sGjIwfGZ6mRsrcWtjGbJdk2x0gUfA4IbyMM9PlHyWAz5Ffdlf_27YZxvDGw8_JsShJGpWv_cG4jYTHCR5E5HHEAQPdpJ4WFuehEeUlH1LTQQBG5yPAjYp5bgN980TAAH8-nJhSwTU45_4qttd83fu8uKud5nULGLb8PG7jmcl9nEfeBOGRRWlrboa1UhFCA5YIe_BROgML3ffhQ9S7HTG2hMABQ

Expected behavior/code
No errors should occur on startup.

Environment

  • Probot version(s): 9.2.19
  • Node/npm version: v10.16.0
  • OS: OSX 10.14.5

Possible Solution

@issue-label-bot issue-label-bot bot added the bug 🐞 label Jul 16, 2019

@issue-label-bot

This comment has been minimized.

Copy link

commented Jul 16, 2019

Issue-Label Bot is automatically applying the label bug 🐞 to this issue, with a confidence of 0.98. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jul 16, 2019

Potentially this is another issue with syncing my system clock with the GitHub servers, but I am not suer how to do that on my Mac.

Also most likely a duplicate of #326, but there was no solution posted.

@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jul 16, 2019

Looks like it is an open ticket in the GitHub platform too: https://github.community/t5/GitHub-API-Development-and/Issued-at-claim-iat-must-be-an-Integer-representing-the-time/m-p/20048#M1065

I'm using a simple script to submit GitHub Status to pull requests. The script can be found at https://github.com/grpc/grpc/blob/master/tools/run_tests/python_utils/check_on_pr.py.   It works fine most of the time, but occasionally we will get following message. I'm sure I sent an integer, can you p...
@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jul 16, 2019

Can you reproduce the problem with https://github.com/octokit/app.js, which is the underlying library doing the JWT dance?

GitHub
GitHub Apps toolset for Node.js. Contribute to octokit/app.js development by creating an account on GitHub.
@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

@gr2m if I change this line: https://github.com/octokit/app.js/blob/38a4e69348ccfbc6fec31c3048497d0a96db68d6/src/get-signed-json-web-token.ts#L9 to

const now = Math.floor(Date.now() / 1000) - 60 // <------

the issue it solved. Should I open this in octokit/app.js instead?

GitHub
GitHub Apps toolset for Node.js. Contribute to octokit/app.js development by creating an account on GitHub.
@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

This example reproduces the issue:

// paste PRIVATE_KEY and APP_ID here:

let fetch = require('node-fetch')
let jsonwebtoken = require('jsonwebtoken')
const now = Math.floor(Date.now() / 1000)
const payload = {
  iat: now,
  exp: now + 60 * 10 - 30,
  iss: APP_ID
}

const token = jsonwebtoken.sign(payload, PRIVATE_KEY, {
  algorithm: 'RS256'
})

fetch('https://api.github.com/app/installations?per_page=100', {
  method: 'GET',
  headers: {
    accept: 'application/vnd.github.machine-man-preview+json',
    'user-agent': 'octokit.js/16.28.1 Node.js/10.16.0 (macOS Mojave; x64)',
    authorization: `Bearer ${token}`
  }
})
  .then(r => {
    console.log(r.status)
    return r
  })
  .then(res => res.json())
  .then(console.log)

and subtracting 60 from now fixes it 🤷‍♂

@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2019

Hmm the code just works for me, without subtracting 30 seconds from now.

I’d like to better understand what the underlying issue is and if it resolves the problem for other people that see the iat error.

Once we have a better understanding and an idea on how to workaround the problem, https://github.com/octokit/app.js is the right place to fix it right now (though it will be https://github.com/octokit/auth-app.js in future, best to fix it in both)

GitHub
GitHub Apps toolset for Node.js. Contribute to octokit/app.js development by creating an account on GitHub.
GitHub
GitHub App authentication for JavaScript. Contribute to octokit/auth-app.js development by creating an account on GitHub.
@mfix22

This comment has been minimized.

Copy link
Contributor Author

commented Jul 17, 2019

@gr2m I restarted my computer, and the issue went away for me 🤦‍♂That is probably not helpful.

You can probably close this issue, since it is most likely a complete duplicate of #966 etc.

@gr2m

This comment has been minimized.

Copy link
Contributor

commented Jul 17, 2019

Yeah let’s do that. I’ll keep an eye out on though. Thanks for your help!

@gr2m gr2m closed this Jul 17, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.