[Bug]: GitHub OAuth fails with "exp is too far in the future"

lucia-auth / lucia

Authentication, simple and clean

https://lucia-auth.com

MIT License

9.46k stars 485 forks source link

[Bug]: GitHub OAuth fails with "exp is too far in the future" #1302

Closed ivanempire closed 10 months ago

ivanempire commented 10 months ago

Package

@lucia-auth/oauth

Describe the bug

Description

As of last night, we seem to be running into an issue where we can't complete the OAuth flow for a GitHub App Installation due to the following error:

"message":"'Expiration time' claim ('exp') is too far in the future"

I've found some other versions of the bug here: https://github.com/probot/probot/issues/1426 and here https://github.com/conbench/conbench/issues/1101

I'd be happy to create a reproducible example, it just requires one to have a GitHub App on their account to authorize against. Relevant excerpt from package.json:

"@lucia-auth/adapter-prisma": "^3.0.2",
"@lucia-auth/oauth": "^3.3.1",

I can also take a stab at fixing this, I may need a pointer to the code location where the expiry value is set, unless we did something stupid on our end. 🚀 Thanks a bunch - absolutely love the library!

pilcrowonpaper commented 10 months ago

a GitHub App

The OAuth integration only supports OAuth apps, not GitHub apps. I think there's some differences between them

ivanempire commented 10 months ago

Hey thanks for responding! So we did get the flow working just fine by plugging in the application ID, and secret - I was pleasantly surprised that it just worked (we got user info, installation information etc.), but then suddenly this error cropped up last night.

pilcrowonpaper commented 10 months ago

Which API call is causing the error? The standard OAuth flow doesn't use JWTs (the exp claim). The only part where JWT is used is when authenticating the GitHub App

I'm pretty sure this has nothing to do with Lucia

ivanempire commented 10 months ago

Found the original guide we followed to address your earlier point: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-user-access-token-for-a-github-app#generating-a-user-access-token-when-a-user-installs-your-app

We're putting the user through OAuth to get the user access token. The specific call that fails is:

const { data } = await app.octokit.request("GET /users/{username}/installation", {
    username: session.user.username,
    headers: {
        "X-GitHub-Api-Version": "2022-11-28"
    }
});

Although as I'm dissecting this more, it does in fact seem that something is going wrong after the flow completes successfully because we're getting a session just fine. I'm going to close this - thanks for the sanity check :)