Let's say I'm a client & i like to keep my clock set 2 days forward.
If a dev writes some client code to keep the token alive by calling a refreshToken when the token TTL is less than a minute, and the token expires every 24 hours, that dev could inadvertently spin up an infinite stream of refresh requests to his server just because the client is a jerk. Sure, the dev could write code to protect against this, but we could help.
Before the handshake is emitted the client saves preShakeTime.
The server includes the server time in the handshake.
When the server handshake is received, the client saves postShakeTimeroundTripTime = postShakeTime - preShakeTime
Now, we have a time differential (including transmission time!) stored in the socket: this._serverTimeDiff;
Now, we can calculate token TTL = Date.now() - this._serverTimeDiff.
We can use this internally for #31 waitOnAuth. Additionally, devs can use this to defends against wonky clients when they write their refresh code.
On second thought, maybe socket.serverTimeAhead, no need for the underscore prefix since it'll be useful for devs. Also, "Difference" doesn't tell you if it's ahead or behind.
Let's say I'm a client & i like to keep my clock set 2 days forward. If a dev writes some client code to keep the token alive by calling a
refreshToken
when the token TTL is less than a minute, and the token expires every 24 hours, that dev could inadvertently spin up an infinite stream of refresh requests to his server just because the client is a jerk. Sure, the dev could write code to protect against this, but we could help.Before the handshake is emitted the client saves
preShakeTime
. The server includes the server time in the handshake. When the server handshake is received, the client savespostShakeTime
roundTripTime = postShakeTime - preShakeTime
Now, we have a time differential (including transmission time!) stored in the socket:this._serverTimeDiff
; Now, we can calculate token TTL =Date.now() - this._serverTimeDiff
.We can use this internally for #31
waitOnAuth
. Additionally, devs can use this to defends against wonky clients when they write their refresh code.