Shopify / shopify-app-bridge

https://shopify.dev/docs/api/app-bridge
88 stars 9 forks source link

authenticatedFetch is consistently providing me with JWTs with nbf ("Not Before Claim") values in the future #59

Closed tolgap closed 2 years ago

tolgap commented 3 years ago

Describe the bug

When my Mac OS X 11.3.1 Big Sur machine is close to a new minute on my system clock, I notice strange behavior:

This error is happening consistently on my local development environment. When debugging the JWT parsing that is provided by @shopify/koa-shopify-auth, I notice the following behavior:

┃ {
┃   iss: 'https://<store>.myshopify.com/admin',
┃   dest: 'https://<store>.myshopify.com',
┃   aud: 'ecf2834002ac630dde29e6937ff9c9ac',
┃   sub: '72564015311',
┃   exp: 2021-06-16T17:14:59.000Z,
┃   nbf: 2021-06-16T17:13:59.000Z,
┃   iat: 1623863639,
┃   jti: 'f3e2ebfb-7cd6-46cb-b84c-3907873d2f41',
┃   sid: '1f5d5129358032f321a6e3a5a3e7f2aa969ca62d0a4c922c8c7b6a36b1afffe3',
┃   now: 2021-06-16T17:13:57.845Z
┃ }

I have added the now property to the JWT myself. As you can see, the nbf value of my token is in the future of my development machine:

nbf: 2021-06-16T17:13:59.000Z

now: 2021-06-16T17:13:57.845Z

This seems to mostly happen, when my machine is 3 seconds close to a new minute. So for instance: between 13:30:57 and 13:30:59 , I will run into this issue.

Contextual information

Packages and versions

List the relevant packages you’re using, and their versions. For example:

Platform

Additional context

Next.js app, using Koa. The default Shopify/shopify-app-node setup from shopify create.

I noticed some others running into this:

Tigatok commented 3 years ago

@tolgap Hi tolgap,

I am also experiencing this. I have not confirmed that my timing is off. How did you debug the jwt token in that createShopifyAuth section?

Have you managed to fix this?

bkspace commented 3 years ago

Hey @Tigatok, @tolgap - you could set a tolerance when verifying the JWT:

clockTolerance: number of seconds to tolerate when checking the nbf and exp claims, to deal with small clock differences among different servers

Tigatok commented 3 years ago

@bkspace Thanks for the response. I guess, with the server.json that the base projects get you started with, I am trying to understand where the JWT get's verified.

AntoineMaitre commented 3 years ago

Also having this issue in development, following build-a-shopify-app-with-node-and-react tutorial.

package.json details:

"dependencies": {
    "@shopify/app-bridge-react": "^2.0.3",
    "@shopify/app-bridge-utils": "^2.0.3",
    "@shopify/koa-shopify-auth": "^4.1.3",
    "@shopify/polaris": "^6.5.0",
    "apollo-boost": "^0.4.9",
    "dotenv": "^10.0.0",
    "graphql": "^15.5.1",
    "isomorphic-fetch": "^3.0.0",
    "koa": "^2.13.1",
    "koa-router": "^8.0.8",
    "next": "^11.0.1",
    "react": "^17.0.2",
    "react-apollo": "^3.1.5",
    "react-dom": "^17.0.2",
    "store-js": "^2.0.4",
    "webpack": "^4.46.0"
  }
maruffahmed commented 3 years ago

I had the same issue with nbf. My server request is made before the jwt token active. And I end up with error: Failed to parse session token <token>: jwt not active. I solve this problem by manually setting sync my windows 10 times with time.windows.com. I'm wondering if this issue related to time so merchants can face this too with their environments.

tolgap commented 2 years ago

This is solved for me since https://github.com/Shopify/shopify-node-api/issues/207 landed in @shopify/shopify-api@2.0.0