Closed vladikoff closed 5 years ago
Does this repro 100% of the time?
IIUC this login flow hits the oauth key-data endpoint directly using a BrowserID assertion, so when it gets to here:
https://github.com/mozilla/fxa-auth-server/blob/master/fxa-oauth-server/lib/routes/key_data.js#L76
It will not have an iat
claim and will fall back to using lastAuthAt
, the value of which comes from here:
https://github.com/mozilla/fxa-auth-server/blob/master/lib/tokens/session_token.js#L66
It's calculated via Math.floor((this.authAt || this.createdAt) / 1000)
.
That ends up being compared against (keyRotationTimestamp / 1000)
in the OAuth server code.
For newly created accounts, the authAt
and keyRotationTimestamp
fields are both equal to createdAt
, so IIUC the comparison works out to:
if (Math.floor(createdAt / 1000) < (createdAt / 1000)) {
throw AppError.staleAuthAt(iat);
}
Which will almost always be true. Using Math.floor
on the right-hand side of the stateAuthAt
check should help fix I think.
Ref: https://github.com/mozilla-mobile/reference-browser/issues/569
We can sign in but not sign up!