Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check Google id token expiration before usage #5691

Closed
sosnovsky opened this issue Apr 27, 2024 · 2 comments · Fixed by #5731
Closed

Check Google id token expiration before usage #5691

sosnovsky opened this issue Apr 27, 2024 · 2 comments · Fixed by #5731
Assignees
@ioanmo226
Labels
actionable
Milestone
8.5.6

Comments

@sosnovsky
Copy link
Collaborator

Sometimes in browser extension console logs I see error:

webmail_bundle.js:49 BrowserMsg(ajax) Unauthorized: 401 when GET-ing https://..../keys/private (no body):  -> No matching authenticator found for Authorization starting with Bearer eyJhbGciOiJSUzI1NiIsImt...


[callerStack]
    at BrowserMsg.sendRaw (chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:10292:26)
    at BrowserMsg.sendAwait (chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:10280:37)
    at Object.ajax (chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:10435:38)
    at Api.ajax (chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:7334:55)
    at Api.apiCall (chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:7642:34)
    at KeyManager.getPrivateKeys (chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:7879:34)
    at chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:16058:78
    at chrome-extension://pjohdcpiapjhagmakkjpgjmodmgfmkkd/js/content_scripts/webmail_bundle.js:93:27

I checked backend logs and found reason for mentioned error

Client error: 401 Unauthorized GET http://[127.0.0.1]/v1/keys/private | id: a1bc06e10319 | message: authentication:
The JWT is no longer valid - the evaluation time NumericDate{1714160438 -> Apr 26, 2024, 7:40:38 PM UTC} is on or after the Expiration Time (exp=NumericDate{1714159800 -> Apr 26, 2024, 7:30:00 PM UTC}) claim value (even when providing 30 seconds of leeway to account for clock skew).

Currently we don't have check for id token expiration time, so let's check if id token has expired before using it and expired tokens should be refreshed before using.
@sosnovsky sosnovsky added this to the 8.5.5 milestone Apr 27, 2024
@sosnovsky sosnovsky modified the milestones: 8.5.5, 8.5.6 May 13, 2024
@ioanmo226
Copy link
Collaborator

@sosnovsky, I think we can streamline the token refresh logic by moving it from ExternalService.request to Api.ApiCall.
How about we add a try-catch block in Api.ApiCall like ExternalSerivce.request?
This way, if a call fails due to a 401 unauthorized error, it automatically tries to refresh the access token and attempts the call again to resolve the issue. What do you think?

flowcrypt-browser/extension/js/common/api/account-servers/external-service.ts

Line 200 in e6a1d47

if (ApiErr.isAuthErr(firstAttemptErr) && idToken) {

@sosnovsky
Copy link
Collaborator Author

Sounds good, let's try this solution

@ioanmo226 ioanmo226 mentioned this issue May 23, 2024
Merged
5 tasks
sosnovsky pushed a commit that referenced this issue May 31, 2024
@ioanmo226
#5691 Refresh id token if it expires (#5731)
9a3ba05 
* feat: added token refresh logic when 401 error occurs

* fix: circular dependency injection error
ioanmo226 added a commit that referenced this issue Jun 3, 2024
@ioanmo226
#5691 Refresh id token if it expires (#5731)
a4d7554 
* feat: added token refresh logic when 401 error occurs

* fix: circular dependency injection error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ioanmo226 ioanmo226

Labels
actionable
Projects
None yet
Milestone
8.5.6
Development

Successfully merging a pull request may close this issue.

#5691 Refresh id token if it expires FlowCrypt/flowcrypt-browser
2 participants
@sosnovsky @ioanmo226