Eleck•4w ago

Could not validate token during sync with better-auth

Hi! I'm using better-auth as my external auth service (not using convex-better-auth component), powered by TanStack Start, and I'm using it to authorize requests to Convex functions. I've set it all up following the Custom JWT Provider, but when my application tries to connect to Convex and connects the sync websocket, I'm getting Could not validate token. I've followed the Debugging Authentication doc multiple times, and I can't find the root cause. Yesterday, I could see the decoded token in the function, while getting this error. Today, without having changed anything related to auth, I'm not even getting the decoded token. I don't see any valid reason for this error to come up. I'll post some more details in thread. Any idea?

Debugging Authentication | Convex Developer Hub

You have followed one of our authentication guides but something is not working.

5 Replies

Convex Bot•4w ago

Thanks for posting in <#1088161997662724167>. Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets. - Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.) - Use search.convex.dev to search Docs, Stack, and Discord all at once. - Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI. - Avoid tagging staff unless specifically instructed. Thank you!

EleckOP•4w ago

Here are some details from my investigation : - Initially, I ran into some issue to expose my local JWKS endpoint, since I'm using better-auth , but I managed to work-around it by exposing it via a CloudFlare worker. - By default, better-auth JWT tokens don't have the "typ": "JWT" header, but even after modifying the lib to include that, the error is still here. - I figured the error was returned from this specific line from the back-end : https://github.com/get-convex/convex-backend/blob/a6c7aec0130dc7f6f49c9fcf898d7c40030ef8ba/crates/authentication/src/lib.rs#L317. Thus, I've roughly copied the code to try to validate it locally, and see if I could get a more relevant error (suspecting it could be related to the time-based claims). But the JWT is correctly validated locally using the same code:

GitHub

convex-backend/crates/authentication/src/lib.rs at a6c7aec0130dc7f6...

The open-source reactive database for app developers - get-convex/convex-backend

EleckOP•4w ago

use std::time::SystemTime;
use biscuit::{
    jwa::SignatureAlgorithm, jwk::JWKSet, TemporalOptions, ValidationOptions, JWT
};
use chrono::TimeZone;
use serde_json;

// based on this: https://github.com/get-convex/convex-backend/blob/a6c7aec0130dc7f6f49c9fcf898d7c40030ef8ba/crates/authentication/src/lib.rs#L317

fn main() {
    let jwt: &'static str = "<JWT>";
    let string_jwks = r#"<JWKS>"#;
    let jwks: JWKSet<biscuit::Empty> = serde_json::from_str(string_jwks).unwrap();

    let since_epoch = SystemTime::now()
        .duration_since(SystemTime::UNIX_EPOCH)
        .expect("couldn't calculate unix timestamp?")
        .as_secs() as i64;
    let chrono_utc = chrono::Utc.timestamp_opt(since_epoch, 0).unwrap();
    let validation_options = ValidationOptions {
        temporal_options: TemporalOptions {
            now: Some(chrono_utc),
            ..Default::default()
        },
        ..Default::default()
    };

    let token = JWT::<biscuit::Empty, biscuit::Empty>::new_encoded(jwt);
    let decoded_token = token.decode_with_jwks(&jwks, Some(SignatureAlgorithm::ES256)).unwrap();

    let result = decoded_token.validate(validation_options);
    println!("{:?}", result);
}

use std::time::SystemTime;
use biscuit::{
    jwa::SignatureAlgorithm, jwk::JWKSet, TemporalOptions, ValidationOptions, JWT
};
use chrono::TimeZone;
use serde_json;

// based on this: https://github.com/get-convex/convex-backend/blob/a6c7aec0130dc7f6f49c9fcf898d7c40030ef8ba/crates/authentication/src/lib.rs#L317

fn main() {
    let jwt: &'static str = "<JWT>";
    let string_jwks = r#"<JWKS>"#;
    let jwks: JWKSet<biscuit::Empty> = serde_json::from_str(string_jwks).unwrap();

    let since_epoch = SystemTime::now()
        .duration_since(SystemTime::UNIX_EPOCH)
        .expect("couldn't calculate unix timestamp?")
        .as_secs() as i64;
    let chrono_utc = chrono::Utc.timestamp_opt(since_epoch, 0).unwrap();
    let validation_options = ValidationOptions {
        temporal_options: TemporalOptions {
            now: Some(chrono_utc),
            ..Default::default()
        },
        ..Default::default()
    };

    let token = JWT::<biscuit::Empty, biscuit::Empty>::new_encoded(jwt);
    let decoded_token = token.decode_with_jwks(&jwks, Some(SignatureAlgorithm::ES256)).unwrap();

    let result = decoded_token.validate(validation_options);
    println!("{:?}", result);
}

Regarding my auth config, it looks like this:

// convex/auth.config.js
export default {
  providers: [
    {
      type: 'customJwt',
      // knucklebones-rework
      applicationID: process.env.APP_NAME,
      // http://localhost:3000
      issuer: process.env.BASE_URL,
      // https://<my-jwks-url>.workers.dev/
      jwks: process.env.JWKS_URL,
      algorithm: 'ES256'
    }
  ]
}

// convex/auth.config.js
export default {
  providers: [
    {
      type: 'customJwt',
      // knucklebones-rework
      applicationID: process.env.APP_NAME,
      // http://localhost:3000
      issuer: process.env.BASE_URL,
      // https://<my-jwks-url>.workers.dev/
      jwks: process.env.JWKS_URL,
      algorithm: 'ES256'
    }
  ]
}

I wouldn't mind sharing the JWKS and a JWT for an anonymous user if you'd like I've thought about it more, and the only likely cause of this would be if my computer is more than one second ahead of convex backend, which would invalidate the iat claim, as the token would seem like it has been generated in the future But in that case, I can't really see any solution to it (+ on windows 11 there's a button to sync time, and it didn't change anything) Perhaps I have to deploy my auth service and use it locally, idk Some updates on this: - Yesterday night, for some unknown reason, it worked (meaning that I can see the user identity in the Convex function, and I didn't see the error in the sync websocket. I didn't change anything after that. - This morning, I tried again and the error is here again, and the Convex function doesn't have the user identity. I really don't understand why this is so inconsistent

erquhart•4w ago

Looking at where that error is throwing in the backend, I'm pretty sure only expiry is being evaluated. Seems time based. Wondering if there are time differences between the systems you're using that's causing issues?

EleckOP•4w ago

Hi! I checked the biscuit package that is used, and yeah, expiry is checked, along with claims like iat, iss, and aud That's what I thought too, but I can't find a way to validate that theory; I live in France, so UTC+2, but the timestamp generated should be on UTC (and I've checked that when decoding the generated JWT tokens). And syncing my Windows time doesn't change anything (though, I'm using WSL, but I guess it should be the same time) If you'd like, here's a JWT for a local anonymous user I have:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjVlZkU5Y2VkMWxnN3gxSVBId05xUHNmZlRXelVNNGUzIn0.eyJuYW1lIjoiQW5vbnltb3VzIiwiZW1haWwiOiJ0ZW1wLWZpdGV5eTZibG15bmV6cmIzZGl4enVzd2FyaGc2M3IxQGh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImVtYWlsVmVyaWZpZWQiOmZhbHNlLCJpbWFnZSI6bnVsbCwiY3JlYXRlZEF0IjoiMjAyNS0wNS0xMFQwODowNDo1OS4zNjZaIiwidXBkYXRlZEF0IjoiMjAyNS0wNS0xMFQwODowNDo1OS4zNjZaIiwiaXNBbm9ueW1vdXMiOnRydWUsImlkIjoicERkUG5wdk9sRXZsYXB2Z3JYTmJ4T3pXNERhcjltSVMiLCJpYXQiOjE3NDY4OTU0NjcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImF1ZCI6ImtudWNrbGVib25lcy1yZXdvcmsiLCJleHAiOjE3NDY4OTYzNjcsInN1YiI6InBEZFBucHZPbEV2bGFwdmdyWE5ieE96VzREYXI5bUlTIn0.heqQr7PV3W1uGehxeE5C5JI1DaP9tJSrfgnYoaC5CYWuAIbsKJ8ALbfh-yPLwYAgVjjGZYI_nxH409F1VxJcbrrC-yUFI6crHrEmxJ-tJgek9qu6jBLZ3tpRizu-dS2ztomR0doc_BXrZqKICdynNmWqlUunQMId1nW4EDyjwYo-9CiXM6oSakWs75akDnXZrMN3xcjAcRkylHt4Y92MRo8ak2k_j70hn_9dmKVZ7nSUYV54hVznepjYU49koIcKFLjPQM_8kdIsYxvV0_kmga4nzhWqpS9yfnBHbyW6j2P2-X5YD351Lzg6sRu-swlh9VoEqE0m8D-Z0klBcwrFiA

eyJhbGciOiJSUzI1NiIsImtpZCI6IjVlZkU5Y2VkMWxnN3gxSVBId05xUHNmZlRXelVNNGUzIn0.eyJuYW1lIjoiQW5vbnltb3VzIiwiZW1haWwiOiJ0ZW1wLWZpdGV5eTZibG15bmV6cmIzZGl4enVzd2FyaGc2M3IxQGh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImVtYWlsVmVyaWZpZWQiOmZhbHNlLCJpbWFnZSI6bnVsbCwiY3JlYXRlZEF0IjoiMjAyNS0wNS0xMFQwODowNDo1OS4zNjZaIiwidXBkYXRlZEF0IjoiMjAyNS0wNS0xMFQwODowNDo1OS4zNjZaIiwiaXNBbm9ueW1vdXMiOnRydWUsImlkIjoicERkUG5wdk9sRXZsYXB2Z3JYTmJ4T3pXNERhcjltSVMiLCJpYXQiOjE3NDY4OTU0NjcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCIsImF1ZCI6ImtudWNrbGVib25lcy1yZXdvcmsiLCJleHAiOjE3NDY4OTYzNjcsInN1YiI6InBEZFBucHZPbEV2bGFwdmdyWE5ieE96VzREYXI5bUlTIn0.heqQr7PV3W1uGehxeE5C5JI1DaP9tJSrfgnYoaC5CYWuAIbsKJ8ALbfh-yPLwYAgVjjGZYI_nxH409F1VxJcbrrC-yUFI6crHrEmxJ-tJgek9qu6jBLZ3tpRizu-dS2ztomR0doc_BXrZqKICdynNmWqlUunQMId1nW4EDyjwYo-9CiXM6oSakWs75akDnXZrMN3xcjAcRkylHt4Y92MRo8ak2k_j70hn_9dmKVZ7nSUYV54hVznepjYU49koIcKFLjPQM_8kdIsYxvV0_kmga4nzhWqpS9yfnBHbyW6j2P2-X5YD351Lzg6sRu-swlh9VoEqE0m8D-Z0klBcwrFiA

Okay, so I think the issue was not about the Windows time being out of sync, but I think we WSL time. I'm not super sure, there's not a clean way to know the time shift, but it seemed like my WSL was one second late for some unknown reason. That could explain the inconsistency of getting this error or not. Though, if it was one second late, I don't really understand why the token claims would be invalidated. It's not like it was 1 second ahead and the iat claim was a future date. Just in case: https://tomssl.com/fixing-clock-drift-in-wsl2-using-windows-terminal/ I'll keep this updated if I run into this issue again. Thanks! I'll mark this as resolved as I mostly don't see this error anymore, or if I do, syncing the time on WSL works every time 👍

Could not validate token during sync with better-auth

Did you find this page helpful?