Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT::ExpiredSignature #424

Open
flavio-b opened this issue Sep 11, 2024 · 3 comments
Open

JWT::ExpiredSignature #424

flavio-b opened this issue Sep 11, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@flavio-b
Copy link

flavio-b commented Sep 11, 2024
edited
Loading

Describe the bug

Almost daily, we see a few JWT::ExpiredSignature errors in the backend. It appears AppBridge is failing to get a fresh token and submits the request with the expired token anyway.

To Reproduce

We can't reproduce the error. It happens randomly when merchants are interacting with the app throughout the day.

Expected behaviour

AppBride would ensure the submitted JWT is always valid before submitting the request.

Contextual information

Packages and versions

  • @shopify/shopify_app @ 22.4.0
  • AppBridge from CDN
  • @hotwired/turbo-rails @ 2.0.6

Additional context

I think perhaps AppBridge should halt submissions that don't have a valid token, or throw a specific error that we could catch and try to submit again.

I don't know in which layer the issue is happening:

  1. Maybe the JWT servers is failing intermittently.
  2. Maybe AppBridge algorithm that decides when to fetch a fresh token, or use the one from its cache, is causing this issue.
@flavio-b flavio-b added the bug Something isn't working label Sep 11, 2024
@flavio-b flavio-b mentioned this issue Sep 11, 2024
Open
@darrynten
Copy link

I've been debugging a similar issue, what I do to get into the appropriate state is load the app, go to a secondary route, wait for over 24 hours and then right-click the app and select "Reload frame" which then triggers the error.

This long wait is the only way I've been able to reliably reproduce our particular version of this expired signature bug, perhaps it will help you debug yours.

@flavio-b
Copy link
Author

flavio-b commented Sep 12, 2024
edited
Loading

Thanks for sharing! That's weird. Reloading the frame triggers a regular HTTP request so I wouldn't expect the JWT to be present anyway, right? Besides, it looks like each token expires after 1 minute, so why would it trigger an error only after 24 hours?

We're seeing the error often with one particular merchant. I reached out to them to get more info on how they use the app, to get more clues.

My guess, based on some timestamps, is they probably leave the app open for a while before doing any action. This causes the cached token to expire. Before triggering another fetch, AppBridge is supposed to check if the current token is expired, and get a new token. I think this action is failing under certain circumstances.

Edit: Today we got a bunch of these errors, from multiple merchants... This is getting frustrating.

@darrynten
Copy link

There's a JWT present on the URL in the id_token param once the app has been through the session-token-bounce endpoint with the shopify-reload parameter set for app bridge.

On that note, once the user has passed this 'session-token-bounce' phase I no longer have to wait a long time for the bug to manifest, it can trigger after just 2 minutes of waiting before right-click -> reload frame (provided session token bounce flow has happened).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@darrynten @flavio-b