rfk
commented
5 years ago Does this repro 100% of the time?
Closed vladikoff closed 5 years ago
rfk
commented
5 years ago Does this repro 100% of the time?
rfk
commented
5 years ago IIUC this login flow hits the oauth key-data endpoint directly using a BrowserID assertion, so when it gets to here:
https://github.com/mozilla/fxa-auth-server/blob/master/fxa-oauth-server/lib/routes/key_data.js#L76
It will not have an iat claim and will fall back to using lastAuthAt, the value of which comes from here:
https://github.com/mozilla/fxa-auth-server/blob/master/lib/tokens/session_token.js#L66
It's calculated via Math.floor((this.authAt || this.createdAt) / 1000).
That ends up being compared against (keyRotationTimestamp / 1000) in the OAuth server code.
For newly created accounts, the authAt and keyRotationTimestamp fields are both equal to createdAt, so IIUC the comparison works out to:
if (Math.floor(createdAt / 1000) < (createdAt / 1000)) {
throw AppError.staleAuthAt(iat);
}Which will almost always be true. Using Math.floor on the right-hand side of the stateAuthAt check should help fix I think.
Ref: https://github.com/mozilla-mobile/reference-browser/issues/569
We can sign in but not sign up!