loadCurrentSession fails with error "jwt not active". Add support for clockTolerance when verifying JWTs.

[tolgap]

Overview/summary

Online session tokens with JWTs are susceptible to timing issues between different systems. Shopify uses the NBF value in the JWT spec which can cause issues on some systems.

The used package to verify JWTs is @auth0/node-jsonwebtoken. This package includes the option clockTolerance to allow for time drift or time difference.

Motivation

What inspired this enhancement?

On my development machine, I synchronize with time.apple.com. So no manual intervention is happening from my side. Yet I'm consistently being provided with JWTs with an NBF value in the future. Example:

┃ {
┃   iss: 'https://<store>.myshopify.com/admin',
┃   dest: 'https://<store>.myshopify.com',
┃   aud: 'ecf2834002ac630dde29e6937ff9c9ac',
┃   sub: '72564015311',
┃   exp: 2021-06-16T17:14:59.000Z,
┃   nbf: 2021-06-16T17:13:59.000Z,
┃   iat: 1623863639,
┃   jti: 'f3e2ebfb-7cd6-46cb-b84c-3907873d2f41',
┃   sid: '1f5d5129358032f321a6e3a5a3e7f2aa969ca62d0a4c922c8c7b6a36b1afffe3',
┃   now: 2021-06-16T17:13:57.845Z
┃ }

Where I have added the now property myself to the debug. As you can see

┃   nbf: 2021-06-16T17:13:59.000Z,
┃   now: 2021-06-16T17:13:57.845Z

The nbf value is in the future.

I would like to see support for an optional clockTolerance setting for verifying JWTs. It makes development a massive burden as I have to constantly refresh to receive a working token. I can use the token until expiry, and then I start receiving tokens with nbf in the future and my app has to re-auth again.

Related issues:

Shopify/shopify-app-bridge#59
https://community.shopify.com/c/Shopify-APIs-SDKs/JWT-Token-gt-nbf-value-in-future-time-jwt-not-active-error/td-p/1176040
#137

Checklist

• I have described this enhancement in a way that is actionable (if possible)

[devopsangel]

I rolled latest changes and facing the same issue.

 "@shopify/app-bridge-react": "^2.0.3",
        "@shopify/app-bridge-utils": "^2.0.3",
        "@shopify/koa-shopify-auth": "^4.1.4",
        "@shopify/koa-shopify-graphql-proxy": "^5.0.2",
        "@shopify/koa-shopify-webhooks": "^3.0.2",
        "@shopify/react-shopify-app-route-propagator": "^3.0.8",
        "@shopify/polaris": "^6.6.0",
        "@shopify/polaris-icons": "^4.6.2",
        "@shopify/shopify-api": "^1.4.1",

[devopsangel]

Some updates.... it seems on my mac these were not checked. I was traveling lately... i was using VPN and I needed to disable it. As soon as I enabled it seems time issue got fixed and that error jwt not active disappeared.

[tolgap]

I already have the setting on that I sync with time.apple.com. Mentioned this in my OP. I still consistently receive JWTs with an NBF value a few seconds in the future.

[jamescram]

I was having this issue, also on Big Sur, and fixed it by installing ChronyControl as explained in this answer on StackExchange

[sgd2z]

I'm having the issue on Windows 10. My clock is syncing correctly with time.windows.com and I still get this error very often.

[PrateekGoyal18]

Is there any solution update on this thread as I am facing this issue on Windows 10 for the past 1 week and not able to find any solution ?
Anyone please help.

[TheSecurityDev]

Is there any solution update on this thread as I am facing this issue on Windows 10 for the past 1 week and not able to find any solution ?
Anyone please help.

Update to V2 of the library.

[panth-thakkar-shipsy]

I am facing this issue. Why is nbf value coming of future ? Any solution please as my app is in production and customers are complaining that their requests are getting 401.

[tolgap]

Fixed by #227

[TheSecurityDev]

This is still happening to users periodically. Is it possible to allow us to set the clock tolerance level ourselves?

[akospaska]

I experience the same issue still.

[cristiberceanu]

Still experiencing the same problem.