Skip to content

chore: change leeway and reject tokens expiring and in less than #775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gbirman merged 4 commits into from
Jan 5, 2026
Merged

chore: change leeway and reject tokens expiring and in less than #775

gbirman merged 4 commits into from
Jan 5, 2026

Conversation

@gbirman
Copy link
Contributor

@gbirman gbirman commented Jan 2, 2026

Summary

Screenshots, GIFs, and Videos

@gbirman gbirman requested a review from a team as a code owner January 2, 2026 20:20
@gbirman gbirman requested a review from synoet January 2, 2026 20:20
@synoet
Copy link
Contributor

synoet commented Jan 2, 2026
edited
Loading

Rejection might be right to remove. But I think we should keep leeway at zero.

@gbirman
Copy link
Contributor Author

gbirman commented Jan 2, 2026

why do you think we should keep leeway at zero?

@gbirman
Copy link
Contributor Author

gbirman commented Jan 2, 2026

ok i think we should actually have both, leeway to account for potential clock skew between fusion auth and our own auth, and then the reject early to prevent downstream 401s that initially pass. there's a separate issue in the front end though about ensuring that our refresh propagates correctly. useUserInfo for instance will 401 due to a jwt expiry and then never refresh its false state which is why we see the banner in the Dock component. if we can a) maximize a token's lifetime but also b) ensure that the occasional rejection flows through to the auth state in the front end we'll be able to fix this

whutchinson98
whutchinson98 reviewed Jan 5, 2026
View reviewed changes
rust/cloud-storage/macro_auth/src/middleware/decode_jwt.rs Outdated
let mut validation = Validation::new(Algorithm::HS256);

validation.leeway = 0;
validation.leeway = 30;
Copy link
Member

@whutchinson98 whutchinson98 Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the default so you could just remove thisa

Copy link
Contributor Author

@gbirman gbirman Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

default is 60 https://docs.rs/jsonwebtoken/latest/jsonwebtoken/struct.Validation.html

whutchinson98
whutchinson98 requested changes Jan 5, 2026
View reviewed changes
Copy link
Member

@whutchinson98 whutchinson98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead lets have leeway set to something reasonable like 5 to account for any clock skew and then remove the reject_tokens_expiring_in_less_than all together.

@gbirman
Copy link
Contributor Author

gbirman commented Jan 5, 2026

reverting to default because we already have things hardcoded elsewhere to account for 60s leeway, e.g. packages/core/signal/token.ts. don't want to sneakily break things between this and macro-api too so both will just use default for now

@gbirman gbirman merged commit 1b71370 into main Jan 5, 2026
35 checks passed
@gbirman gbirman deleted the gab/chore/add-leeway-instead-of-rejecting-tokens-expiring branch January 5, 2026 16:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@whutchinson98 whutchinson98 whutchinson98 approved these changes

@synoet synoet Awaiting requested review from synoet

Assignees

@gbirman gbirman

Labels

cloud-storage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gbirman @synoet @whutchinson98