Auth service challenge ttl desync#261
Merged
dDevAhmed merged 2 commits intoJun 1, 2026
Merged
Conversation
… challenge storage
…lenge verification and JWT issuance
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
All 8 tests pass.
Closes #182
Update Todos
Add getTtl method to RedisService
Store nonce with issuedAt timestamp in generateChallenge
Validate app-level TTL on login path
Update unit tests to cover TTL desync scenarios
Run tests to verify no regressions
All 8 tests pass. Here's the full diff summary:
src/auth/auth.service.ts
Added ChallengeRecord { nonce, issuedAt } interface at the top of the file.
generateChallenge — stores JSON.stringify({ nonce, issuedAt: Date.now() }) instead of the raw nonce string. Redis SETEX TTL is unchanged (300s).
login — parses the JSON record, then enforces elapsedSeconds >= NONCE_TTL_SECONDS using Date.now() as the app-layer clock. Redis TTL is now a backstop only. Corrupt/legacy (non-JSON) values are caught, the key is cleaned up, and a 401 is returned.
src/redis/redis.service.ts
Added ttl(key): Promise<number | null> — wraps ioredis.ttl() with the same graceful-degradation pattern as the other methods.
src/auth/auth.service.spec.ts
Updated existing tests to supply the new JSON record format via a makeRecord(nonce, ageSeconds) helper.
Added 4 new TTL desync tests covering: exact boundary, past boundary (key still in Redis), just inside window, and legacy raw-string (corrupt) nonce