Code-Hex
fixed iat error of 1 second earlier
Error I encountered
I have encountered an issue with token verification where the iat claim is consistently 1 second ahead of the calculated current timestamp, resulting in verification errors.
Decoding Firebase ID token failed. Make sure you passed the entire string JWT
which represents an ID token. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for
details on how to retrieve an ID token. err: Error: Incorrect "iat" claim must be a older than
"1718141274" (iat: "1718141275")
Solution
I do not know the reason why, but I guess there is an calculation mismatch under 1000ms. I tested in my environment and figured out that Math.ceil fixes this problem to round the timestamp.
Justification
Honestly I do not know whether iat verification should be strict or not, however, I found that the same error is previously discussed on this Python repository and PR got merged. https://github.com/firebase/firebase-admin-python/pull/714 So IMO there is no reason to be strict and Math.ceil is somewhat valid solution.
Perhaps this error should be fixed comprehensively by adding clockSkewInSeconds args.
@Code-Hex Thanks for the response! I am facing two problems currently and I am wondering how to fix and write tests.
- What causes this 1 second iat difference in my dev environment, and this is not always.
Math.ceilreduced the occurency but not fixed completely. - This repository is bypassed by
@hono/firebse-authmiddleware, and should I also send PR to both repos to addclockSkewSecondsargs.
Problem 1. bothers me how to write test, and Problem 2. leads me think some another solution.
How to do you think?
Any updates on this?
Noticed another fork that seems to solve this issue in a different approach
https://github.com/MIERUNE/firebase-auth-cloudflare-workers-x509
@Code-Hex would appreciate merging the right approach.
