Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users who have manually changed their clock cannot connect to mqtt(short issue description) #422

Closed
kimdanielarthur-cowlabs opened this issue Aug 26, 2023 · 10 comments
Closed

Users who have manually changed their clock cannot connect to mqtt(short issue description) #422

kimdanielarthur-cowlabs opened this issue Aug 26, 2023 · 10 comments
Labels
feature-request A feature should be added or improved. p2 This is a standard priority issue

Comments

@kimdanielarthur-cowlabs
Copy link

Describe the bug

When a user has changed the time on their device they are not able to connect to the mqtt

Expected Behavior

Expect some way to override the checking of current time on device ala correctClockSkew

Current Behavior

Have not seen any options to set the correctClockSkew for the iot-device-sdk v1 or v2

Reproduction Steps

  1. Change time on your device to be out of sync with actual time
  2. Try to connect to the mqttt
  3. See that connection fails

Possible Solution

Allow to forcibly override the checks on users local device time

Additional Information/Context

No response

SDK version used

v1.16.0

Environment details (OS name and version, etc.)

android/ios react native
@kimdanielarthur-cowlabs kimdanielarthur-cowlabs added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 26, 2023
@yasminetalby yasminetalby self-assigned this Aug 28, 2023
@yasminetalby yasminetalby added feature-request A feature should be added or improved. needs-discussion This issue/PR requires more discussion with community. and removed needs-triage This issue or PR still needs to be triaged. bug This issue is a bug. labels Aug 28, 2023
@yasminetalby
Copy link

Hello @kimdanielarthur-cowlabs ,

Thank you very much for your submission.

The SDK is currently behaving as expected. This would be more of a feature-request for the aws-iot-device-sdk-js-v2.
We are currently in discussion with the team regarding the potential implementation of this feature. I will keep you updated on here.

Thank you very much for your feedback and collaboration.

Best regards,

Yasmine

@kimdanielarthur-cowlabs
Copy link
Author

@bretambrose
Copy link
Contributor

Spent a little time looking into this. In your case, you're using the browser implementation and unfortunately I'm hitting a roadblock there that may prevent a nice solution. As near as I can tell, the websocket implementation (and mqtt-js) do not surface any information about the failing http response sent by AWS when the websocket handshake upgrade is signed by a skewed timestamp (the core problem here). Without the date header sent by IoT Core, we have no way to automatically calculate what the skew adjustment should be.

A less-nice alternative is for us to provide an optional callback that lets you adjust the timestamp used in signing. It's more work for you, but your application could hit some kind of trusted time service and inject that result into the signing process.

@kimdanielarthur-cowlabs
Copy link
Author

Thanks for looking deeper at it!

Yes I was thinking it could be a workaround to even have an option to pass some timeOffset to the client on construction and it would use that offset for all underlying requests within the sdk?

Kim

@bretambrose
Copy link
Contributor

bretambrose commented Aug 30, 2023
edited
Loading

Well, the problem just becomes yours now, as it's not clear how you can get a trustworthy timestamp in the browser (ie no NTP). Any calculation error that results in a timestamp off by more than 15 minutes is a sigv4 signing failure and complete connectivity lockout.

Another possibility I should mention: if you set up custom authentication to IoT Core then the connection process does not need an accurate timestamp (because sigv4 signing isn't used), only one good enough to do x509 cert chain validation for TLS.

@kimdanielarthur-cowlabs
Copy link
Author

@bretambrose
Copy link
Contributor

That route might work, but I don't know if it's possible to access the raw http response where the Date header would sit.

@kimdanielarthur-cowlabs
Copy link
Author

Awesome if the SDK just magically solves it of course :D

@jmklix jmklix added p2 This is a standard priority issue and removed needs-discussion This issue/PR requires more discussion with community. labels Sep 1, 2023
@yasminetalby yasminetalby removed their assignment Oct 2, 2023
@jmklix
Copy link
Member

jmklix commented May 17, 2024

This isn't something that we plan on adding to this sdk, so I'll be closing this issue. As @bretambrose mentioned above it's not possible to access the raw http response with the date header when running js in browser applications.

@jmklix jmklix closed this as completed May 17, 2024
@github-actions GitHub Actions
Copy link

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bretambrose @jmklix @yasminetalby @kimdanielarthur-cowlabs