JWT can expire before a connection is successfully established

[LeeSmet]

When the JWT is created, it's expiration is set to 1 minute after creation. However there are scenarios where establishing a working connection to the relay can take more time than this 1 minute, causing the connection to then be terminated with a generic 401 unauthorized. This happened for example here: https://github.com/threefoldtech/tf_operations/issues/2159#issuecomment-1924400349, because of IPv6 issues on the target node. Since most OS'es resolve AAAA first, a connection was attempted on IPv6 which eventually timed out, at which point the IPv4 connection was established, which works immediately, but with an already expired JWT. While in this case the main cause was an issue on the server hosting the relay, similar problems could arise if there is server level rate limiting.

[muhamadazmy]

yes, that's by design. We generate a short living jwt for the sake of connecting only, if the connection establishing is taking more than 1 minute then there is something else wrong.

The idea is to avoid abusing if the jwt if it was leaked

[muhamadazmy]

Changing the ipv6 jwt expiration is not a solution, because: 1) we don't know how long we should make it. Hence no value is a correct value 2) I think if ipv6 is not working for the relay, either we remove the IPV6 record from dns, or fix ipv6

[muhamadazmy]

Each time rmb tries, it also generate a new token. so the client will not get stuck forever, once the network is restored it should work fine again.

Increasing the time of a jwt is imho not a "fix" it's just a hack to hide the actual problem

[delandtj]

fix ipv6 first, yes