Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(clerk-js): Use the issued at timestamp from JWT for the MemoryTokenCache #1911

Closed
wants to merge 3 commits into from

Conversation

octoper
Copy link
Member

@octoper octoper commented Oct 18, 2023

Description

This PR changes the createdAt value when storing a token to the MemoryTokenCache from the current user time to the issued at time of the token to check how much time has elapsed from when the token has been issued.

Checklist

  • npm test runs as expected.
  • npm run build runs as expected.
  • (If applicable) JSDoc comments have been added or updated for any package exports
  • (If applicable) Documentation has been updated

Type of change

  • 🐛 Bug fix
  • 🌟 New feature
  • 🔨 Breaking change
  • 📖 Refactoring / dependency upgrade / documentation
  • other:

Packages affected

  • @clerk/clerk-js
  • @clerk/clerk-react
  • @clerk/nextjs
  • @clerk/remix
  • @clerk/types
  • @clerk/themes
  • @clerk/localizations
  • @clerk/clerk-expo
  • @clerk/backend
  • @clerk/clerk-sdk-node
  • @clerk/shared
  • @clerk/fastify
  • @clerk/chrome-extension
  • gatsby-plugin-clerk
  • build/tooling/chore

@changeset-bot
Copy link

changeset-bot bot commented Oct 18, 2023

⚠️ No Changeset found

Latest commit: 91c35c6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@octoper octoper force-pushed the vaggelis/sdk-816-gettoken-cache-issue branch from d10ddea to b1be06f Compare October 18, 2023 11:53
@octoper octoper marked this pull request as ready for review October 18, 2023 11:53
@octoper octoper requested a review from a team as a code owner October 18, 2023 11:53
Copy link
Contributor

@dimkl dimkl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❓ What issue this change will resolve?
Also i think that using the issuedAt instead of the end-user clock will not work for end-user with a clockSkew. The current implementation keeps the creation DateTime of the token based on the end-user clock and the expiration duration from the token using expiresAt - issuedAt to calculate the exact time the token will expire based on the end-user clock.
Example:
End-user A with clockSkew 10 minutes (compared to the FAPI server), retrieves token with issuedAt at 00:10:00 that will expire in 60 seconds 00:11:00 and the end-user clock is 00:00:00. After 5 seconds Frontend code executes getToken() and tokenCache.get() is executed. The code in packages/clerk-js/src/core/tokenCache.ts will be executed in the end-user with :

    const nowSeconds = Math.floor(Date.now() / 1000);  // "00:00:05"
    const elapsedSeconds = nowSeconds - value.createdAt!; // "00:00:05" - "00:10:00"
     const expiresSoon = value.expiresIn! - elapsedSeconds < (leeway || 1) + SYNC_LEEWAY; // 60 - 595 < 10 - 5   

@octoper octoper force-pushed the vaggelis/sdk-816-gettoken-cache-issue branch from b1be06f to 6bb41d5 Compare October 19, 2023 10:58
@octoper octoper marked this pull request as draft October 19, 2023 14:49
@octoper octoper force-pushed the vaggelis/sdk-816-gettoken-cache-issue branch from 45f63c6 to 91c35c6 Compare October 23, 2023 19:39
@octoper octoper closed this Oct 24, 2023
@octoper octoper deleted the vaggelis/sdk-816-gettoken-cache-issue branch October 24, 2023 20:32
@clerk-cookie
Copy link
Collaborator

This PR has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@clerk clerk locked as resolved and limited conversation to collaborators Oct 24, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants