ItalyPaleAle
commented
5 years ago Hi @Mindavi ,
The timer is managed inside Auth0 and stored as client metadata. When users log in, the current time (as UNIX timestamp) is stored in the variable. Only after timer + 86400 < current_time then Auth0 returns the application token as part of the JWT.
You can see how this is implemented here: https://github.com/ItalyPaleAle/hereditas/blob/master/auth0/03-wait-logic.js
There's definitely no client involvement in this. The client is simply unaware of the application token until it's returned to it by Auth0.
Who's responsible for figuring out if the timer has expired? If the client can control its time, can't it also unlock the box as soon as they log in instead of having to wait for a day. A client might for example set their system time to 1 day later.