authenticatedFetch is consistently providing me with JWTs with nbf ("Not Before Claim") values in the future

[tolgap]

Describe the bug

When my Mac OS X 11.3.1 Big Sur machine is close to a new minute on my system clock, I notice strange behavior:

• I call authenticatedFetch
• Shopify provides me with a JWT
• This JWT is used to call my Koa-Graphql-Proxy
• When verifying the sesion, I am greeted with Error: Failed to parse session token <token>: jwt not active

This error is happening consistently on my local development environment. When debugging the JWT parsing that is provided by @shopify/koa-shopify-auth, I notice the following behavior:

┃ {
┃   iss: 'https://<store>.myshopify.com/admin',
┃   dest: 'https://<store>.myshopify.com',
┃   aud: 'ecf2834002ac630dde29e6937ff9c9ac',
┃   sub: '72564015311',
┃   exp: 2021-06-16T17:14:59.000Z,
┃   nbf: 2021-06-16T17:13:59.000Z,
┃   iat: 1623863639,
┃   jti: 'f3e2ebfb-7cd6-46cb-b84c-3907873d2f41',
┃   sid: '1f5d5129358032f321a6e3a5a3e7f2aa969ca62d0a4c922c8c7b6a36b1afffe3',
┃   now: 2021-06-16T17:13:57.845Z
┃ }

I have added the now property to the JWT myself. As you can see, the nbf value of my token is in the future of my development machine:

nbf: 2021-06-16T17:13:59.000Z

now: 2021-06-16T17:13:57.845Z

This seems to mostly happen, when my machine is 3 seconds close to a new minute. So for instance: between 13:30:57 and 13:30:59 , I will run into this issue.

Contextual information

Packages and versions

List the relevant packages you’re using, and their versions. For example:

• "@apollo/client": "^3.3.15"
• "@shopify/app-bridge-react": "^2.0.2"
• "@shopify/app-bridge-utils": "^2.0.2"
• "@shopify/koa-shopify-auth": "^4.1.3"
• "koa-session": "^6.2.0"
• "koa": "^2.13.1"

Platform

• OS: MacOS
• OS Version: 11.3.1
• App: Firefox 90

Additional context

Next.js app, using Koa. The default Shopify/shopify-app-node setup from shopify create.

I noticed some others running into this:

• https://community.shopify.com/c/Shopify-APIs-SDKs/JWT-Token-gt-nbf-value-in-future-time-jwt-not-active-error/td-p/1176040
• InvalidJwtError: Failed to parse session token when using Shopify.Utils.loadCurrentSession shopify-api-js#137

[Tigatok]

@tolgap Hi tolgap,

I am also experiencing this. I have not confirmed that my timing is off. How did you debug the jwt token in that createShopifyAuth section?

Have you managed to fix this?

[bkspace]

Hey @Tigatok, @tolgap - you could set a tolerance when verifying the JWT:

clockTolerance: number of seconds to tolerate when checking the nbf and exp claims, to deal with small clock differences among different servers

• disclaimer: this is not security advice

[Tigatok]

@bkspace Thanks for the response. I guess, with the server.json that the base projects get you started with, I am trying to understand where the JWT get's verified.

[AntoineMaitre]

Also having this issue in development, following build-a-shopify-app-with-node-and-react tutorial.

package.json details:

"dependencies": {
    "@shopify/app-bridge-react": "^2.0.3",
    "@shopify/app-bridge-utils": "^2.0.3",
    "@shopify/koa-shopify-auth": "^4.1.3",
    "@shopify/polaris": "^6.5.0",
    "apollo-boost": "^0.4.9",
    "dotenv": "^10.0.0",
    "graphql": "^15.5.1",
    "isomorphic-fetch": "^3.0.0",
    "koa": "^2.13.1",
    "koa-router": "^8.0.8",
    "next": "^11.0.1",
    "react": "^17.0.2",
    "react-apollo": "^3.1.5",
    "react-dom": "^17.0.2",
    "store-js": "^2.0.4",
    "webpack": "^4.46.0"
  }

[maruffahmed]

I had the same issue with nbf. My server request is made before the jwt token active. And I end up with error: Failed to parse session token <token>: jwt not active.
I solve this problem by manually setting sync my windows 10 times with time.windows.com. I'm wondering if this issue related to time so merchants can face this too with their environments.

[tolgap]

This is solved for me since Shopify/shopify-api-js#207 landed in @shopify/[email protected]