Token renewal loop #493
Comments
|
Hi The session token appears to have an expiration prior to the time it is received. This makes KIP request a new token. This goes on and on. Look in the security and/or users settings. I don't remember where this setting is and I'm not in front of a computer at the moment. You should see a TTL value somewhere. |
|
AFAIK there are no such settings. I think it's a bug. When I look at the JWT, the expiration is correct. Notice that it is also written as such to the console. It's May 25; far away from expiration. Here a JWT as example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Im9uYSIsImlhdCI6MTc0MDIyMjAyNywiZXhwIjoxNzQ3OTk4MDI3fQ.Dd03tUwSPj_2jw6GrKRrZ1eA8eWjKhA-nmSxYUPBWSA
I just quickly browsed the code, and I might be wrong since I don't get it.. The if on loc#70 asks if it is a device access token. It isn't so the next if asks if the token is expired. It isn't. Then the code assumes that the token expires soon. However, that's not true. There is a check missing, isn't it? |
|
What version of SK and KIP are you running? Do you have a complexe setup or a simple point to point network and a RPi? It could be a bug but this code has been working fine for a long time and it is used by hundreds of users so I'd look somewhere else first. From the original post image, we can see the Authentication service received the token and says it's already expired. It then tries to renew automatically in an endless loop. When looking at JWT don't forget to account for time zones. The SK token timeout property is under Setting/Remember Me timeout. Like I said, unless SK's session token feature recently changed (in the last few days), I don't think it's a KIP issue. We would have multiple users reporting the issue. Hope this help |
|
I appreciate your help!
It's a Raspberry Pi 5 running Signal K Server v2.13.2 and KIP v2.12.3. The Raspberry Pi gets its time zone from GPS. It is currently America/Guadeloupe. The notebook I'm using has Central European Time (CET). However, the issue occurs on every device in the same time zone.
IMO, the JWT has the seconds since the Epoch in UTC. I think it would be strange to have time zone-specific things in the token anyway, no? My screenshot is misleading; there, you see the conversion (while the second time zone is different since CH will switch from winter to summer time). Here is a new example: I did this at "19:08 Saturday, 22 February 2025 UTC" eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Im9uYSIsImlhdCI6MTc0MDI1MTI5OCwiZXhwIjoxNzQ4MDI3Mjk4fQ.H2J2jspUQyqa7V30uSZMs8dPtTJX2kWB46EtU_W0oZY I took the seconds from iat and exp and converted it (https://www.unixtimestamp.com). 1740251298: Saturday, February 22, 2025 7:08:18 PM UTC (iat - issues at) In every time zone, the expiration time isn't reached. Also when looking at the console (which uses GMT+0200) the expiration is in May 2025. Far away from now (the image isn't necessarily the same as the JWT above).
The setting is 90d. That reflects what the token says. |
|
Can you try setting to 24 hours, 1 day to see if changes anything. Also do you get the same problem when running KIP on the RPi? |
|
Indeed, it works with 60d but not with 90d. The behavior is the same on the Raspberry Pi. How can this make a difference for the timer ( )...? |
|
Interesting. Not sure it's a good security practice to set session token timeout for more than a few hours or maybe 1 day. KIP will renew in the background. That said, since it's an option, it should be fixed. The issue is probably somewhere in math and date usage in isTokenExpired() or getTokenExpirationDate(). Not too sure. At least you can run KIP for now. Note that if you plan to work on fixes and enhancements, make your PR as small and targeted as possible. KIP has had a new v3 version in the works for the last 8 months. It changes a lot of the UI layout framework so any code shared in that space will probably be a waist or have to be redone once v3 is out. |
godind
added
bug
Once I log in with a user, KIP is unusable and stuck in a token renewal loop.
The text was updated successfully, but these errors were encountered: