Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify jwt expiration time #13

Open
1 task
SimonLab opened this issue Mar 24, 2020 · 5 comments
Open
1 task

Verify jwt expiration time #13

SimonLab opened this issue Mar 24, 2020 · 5 comments
Assignees
@SimonLab
Labels
awaiting-review T1h

Comments

@SimonLab
Copy link
Member

While using the authentication service I noticed the application returns sometimes unauthorized response.

  • Check the expiration time when a jwt is created

see

auth-mvp/lib/auth_mvp_web/controllers/google_auth_controller.ex

Line 24 in 48c5450

jwt = AuthMvp.Token.generate_and_sign!(%{email: profile.email, session: session.id })

@SimonLab SimonLab added the T1h label Mar 24, 2020
@SimonLab SimonLab self-assigned this Mar 24, 2020
@SimonLab
Copy link
Member Author

From the Joken documentation, the jwt created by the library as an expiration time of 2h:

image

Looking at how we can increase this value

@iteles
Copy link
Member

iteles commented Mar 24, 2020

I've noticed this a lot. When I go to stop a timer after more than half an hour (I haven't tried this for intervals smaller than 30 minutes), I usually always get an unauthorised response.

This forces me to log out and log in again before I can use the app.

image

@SimonLab
Copy link
Member Author

It's strange that in your case it happenes around 30mn.
I've checked my current jwt with https://jwt.io/ and I can see that the issued at and expiration time values define a 2h gap:

  "exp": 1585051258, # expiration time value using unix epoch format
  "iat": 1585044058, # issued at

I'm going to create a PR soon to define the expiration time to 1 year. We'll then be able to test the jwt and see if it might be other claims which might invalidate your jwt

SimonLab added a commit that referenced this issue Mar 24, 2020
@SimonLab
define expiration, #13
0d56f54
@SimonLab SimonLab mentioned this issue Mar 24, 2020
Merged
@nelsonic
Copy link
Member

I logged in with GitHub Auth and created a few items with timers.
When I got back to my desk after a spot of gardening, the app was blank.

When I visit the / (root route): https://app-mvp-elm.herokuapp.com
image

But when I visit https://app-mvp-elm.herokuapp.com/capture
I see the same Access not authorised seen by @iteles above:
image

Suspect there is still an issue with the JWT? 🤔

@SimonLab
Copy link
Member Author

I've checked again the documentation on how to define a new expiration time and instead of the keyword exp I needed to use default_exp:
image

see https://hexdocs.pm/joken/Joken.Config.html#default_claims/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SimonLab SimonLab

Labels
awaiting-review T1h
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nelsonic @iteles @SimonLab