Don't send iat JWT claim if large time skew detected (#165)

qtoggle · Dec 18, 2023 · dc00ede · dc00ede
1 parent e177ef1
commit dc00ede
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/qtoggleserver/frontend/js/api/base.js b/qtoggleserver/frontend/js/api/base.js
@@ -20,6 +20,8 @@ import * as APIConstants     from './constants.js'
 import * as NotificationsAPI from './notifications.js'
 
 
+const MAX_TIME_SKEW = 300 * 1000 /* Milliseconds */
+
 const logger = Logger.get('qtoggle.api.base')
 
 
@@ -28,6 +30,7 @@ let slaveName = null
 let apiURLPrefix = ''
 let syncBeginCallbacks = []
 let syncEndCallbacks = []
+let serverTimestamp = null
 
 
 /**
@@ -134,10 +137,15 @@ function makeRequestJWT(username, passwordHash) {
     let jwtHeader = {typ: 'JWT', alg: 'HS256'}
     let jwtPayload = {
         usr: username,
-        iat: Math.round(new Date().getTime() / 1000),
         ori: 'consumer',
         iss: 'qToggle'
     }
+    let timestamp = new Date().getTime()
+    /* If `LISTEN_KEEPALIVE` is set to a larger value, `serverTimestamp` might not be updated as often as we need. */
+    let maxTimeSkew = Math.max(MAX_TIME_SKEW, NotificationsAPI.LISTEN_KEEPALIVE)
+    if (serverTimestamp == null || Math.abs(serverTimestamp - timestamp) < maxTimeSkew) {
+        jwtPayload['iat'] = Math.round(timestamp / 1000)
+    }
     let jwtHeaderStr = Crypto.str2b64(JSON.stringify(jwtHeader))
     let jwtPayloadStr = Crypto.str2b64(JSON.stringify(jwtPayload))
     let jwtSigningString = `${jwtHeaderStr}.${jwtPayloadStr}`
@@ -284,11 +292,17 @@ export function apiCall({
             method, path, query, data,
             /* success = */ function (data, headers) {
 
+                if (headers['date']) {
+                    serverTimestamp = new Date(headers['date']).getTime()
+                }
                 resolveWrapper(data)
 
             },
             /* failure = */ function (data, status, msg, headers) {
 
+                if (headers['date']) {
+                    serverTimestamp = new Date(headers['date']).getTime()
+                }
                 rejectWrapper(data, status, msg)
 
             },

diff --git a/qtoggleserver/frontend/js/api/notifications.js b/qtoggleserver/frontend/js/api/notifications.js
@@ -15,7 +15,13 @@ import * as APIConstants from './constants.js'
 
 const DEFAULT_EXPECT_TIMEOUT = 60000 /* Milliseconds */
 const FAST_RECONNECT_LISTEN_ERRORS = 2
-const LISTEN_KEEPALIVE = 60 /* Seconds */
+
+/**
+ * In the absence of an event coming from the server, this is the interval for server keepalive responses.
+ * @alias qtoggle.api.LISTEN_KEEPALIVE
+ * @type {number}
+ */
+export const LISTEN_KEEPALIVE = 60 /* Seconds */
 
 
 /**