You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by Johan Euphrosine <pr...@aminche.com> on 2010/03/12 11:15:51 UTC
INVALID_GADGET_TOKEN error
Hi,
I looked into shindig code figure out what could cause the
INVALID_GADGET_TOKEN error,
The following patch helped me to figure it out:
diff -r be446a9e9ff5 modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php
--- a/modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php Thu Feb 25 14:40:49 2010 +0100
+++ b/modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php Thu Mar 11 14:41:48 2010 +0100
@@ -128,8 +128,15 @@
$minTime = (int)$out[$this->TIMESTAMP_KEY] - $this->CLOCK_SKEW_ALLOWANCE;
$maxTime = (int)$out[$this->TIMESTAMP_KEY] + $maxAge + $this->CLOCK_SKEW_ALLOWANCE;
$now = time();
+ $clock_skew_allowance = $this->CLOCK_SKEW_ALLOWANCE;
+ $timestamp_key = $this->TIMESTAMP_KEY;
+ $out_json = json_encode($out);
+ $minTimeStr = strftime("%Y-%m-%d %H:%M:%S", $minTime);
+ $maxTimeStr = strftime("%Y-%m-%d %H:%M:%S", $maxTime);
+ $nowStr = strftime("%Y-%m-%d %H:%M:%S", $now);
+ $timestampStr = strftime("%Y-%m-%d %H:%M:%S", (int)$out[$this->TIMESTAMP_KEY]);
if (! ($minTime < $now && $now < $maxTime)) {
- throw new BlobExpiredException("Security token expired");
+ throw new BlobExpiredException("Security token expired: maxAge: $maxAge clock_skew_allowance: $clock_skew_allowance timestamp_key: $timestamp_key out: $out_json timestamp:\
$timestampStr ! $minTimeStr < $nowStr < $maxTimeStr");
}
}
}
diff -r be446a9e9ff5 modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php
--- a/modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php Thu Feb 25 14:40:49 2010 +0100
+++ b/modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php Thu Mar 11 14:41:48 2010 +0100
@@ -34,7 +34,7 @@
*/
public function createToken($stringToken) {
if (empty($stringToken) && ! empty($_GET['authz'])) {
- throw new GadgetException('INVALID_GADGET_TOKEN');
+ throw new GadgetException('INVALID_GADGET_TOKEN EMPTY');
}
try {
//TODO remove this once we have a better way to generate a fake token
@@ -46,7 +46,7 @@
return BasicSecurityToken::createFromToken($stringToken, Config::get('token_max_age'));
}
} catch (Exception $e) {
- throw new GadgetException('INVALID_GADGET_TOKEN');
+ throw $e;//new GadgetException('INVALID_GADGET_TOKEN');
}
}
}
This helped me to make the following assumptions:
* iframe security token is generated when loading the gadget
* the gadget issues makeRequest with this security token
* if the iframe security token timestamp is more than maxAge old
(by default: 1 hour) INVALID_GADGET_TOKEN is thrown
* if doing a simple refresh of the browser the timestamp of the
security token doesn't change
* if doing a full refresh of the browser the timestamp of the
security token will be updated
Are these assumptions correct ?
We are using shindig in the context of a drupal/poker Free Software
application (see http://pokersource.info/) where players can stay logged
and play more than one hour on a website.
What would be the appropriate strategy ?
1/ Raising token_max_age to a value bigger than drupal session timeout
2/ Forcing iframe full refresh from javascript when INVALID_GADGET_TOKEN
is caught in HTTP 500 Error.
Thanks in advance.
--
Johan Euphrosine <pr...@aminche.com>
Development and services around Free Software
http://www.aminche.com/
Re: INVALID_GADGET_TOKEN error
Posted by xor exor <ma...@gmail.com>.
Thanks for the links we have the same problem here :)
On Fri, Mar 12, 2010 at 2:04 PM, Ciancetta, Jesse E. <jc...@mitre.org>wrote:
> Hi Johan,
>
> There's an auth-refresh feature that ships with Shindig that sounds like it
> should help here. You can find more info on it here:
>
> http://markmail.org/message/c2ixtrlqrvyt3tgg
>
> and here:
>
> https://issues.apache.org/jira/browse/SHINDIG-655
>
> Hope that helps!
>
> --Jesse
>
> -----Original Message-----
> From: Johan Euphrosine [mailto:proppy@gmail.com] On Behalf Of Johan
> Euphrosine
> Sent: Friday, March 12, 2010 5:16 AM
> To: dev@shindig.apache.org
> Subject: INVALID_GADGET_TOKEN error
>
> Hi,
>
> I looked into shindig code figure out what could cause the
> INVALID_GADGET_TOKEN error,
>
> The following patch helped me to figure it out:
> diff -r be446a9e9ff5
> modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php
> ---
> a/modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php
> Thu Feb 25 14:40:49 2010 +0100
> +++
> b/modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php
> Thu Mar 11 14:41:48 2010 +0100
> @@ -128,8 +128,15 @@
> $minTime = (int)$out[$this->TIMESTAMP_KEY] -
> $this->CLOCK_SKEW_ALLOWANCE;
> $maxTime = (int)$out[$this->TIMESTAMP_KEY] + $maxAge +
> $this->CLOCK_SKEW_ALLOWANCE;
> $now = time();
> + $clock_skew_allowance = $this->CLOCK_SKEW_ALLOWANCE;
> + $timestamp_key = $this->TIMESTAMP_KEY;
> + $out_json = json_encode($out);
> + $minTimeStr = strftime("%Y-%m-%d %H:%M:%S", $minTime);
> + $maxTimeStr = strftime("%Y-%m-%d %H:%M:%S", $maxTime);
> + $nowStr = strftime("%Y-%m-%d %H:%M:%S", $now);
> + $timestampStr = strftime("%Y-%m-%d %H:%M:%S",
> (int)$out[$this->TIMESTAMP_KEY]);
> if (! ($minTime < $now && $now < $maxTime)) {
> - throw new BlobExpiredException("Security token expired");
> + throw new BlobExpiredException("Security token expired: maxAge:
> $maxAge clock_skew_allowance: $clock_skew_allowance timestamp_key:
> $timestamp_key out: $out_json timestamp:\
> $timestampStr ! $minTimeStr < $nowStr < $maxTimeStr");
> }
> }
> }
> diff -r be446a9e9ff5
> modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php
> ---
> a/modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php
> Thu Feb 25 14:40:49 2010 +0100
> +++
> b/modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php
> Thu Mar 11 14:41:48 2010 +0100
> @@ -34,7 +34,7 @@
> */
> public function createToken($stringToken) {
> if (empty($stringToken) && ! empty($_GET['authz'])) {
> - throw new GadgetException('INVALID_GADGET_TOKEN');
> + throw new GadgetException('INVALID_GADGET_TOKEN EMPTY');
> }
> try {
> //TODO remove this once we have a better way to generate a fake token
> @@ -46,7 +46,7 @@
> return BasicSecurityToken::createFromToken($stringToken,
> Config::get('token_max_age'));
> }
> } catch (Exception $e) {
> - throw new GadgetException('INVALID_GADGET_TOKEN');
> + throw $e;//new GadgetException('INVALID_GADGET_TOKEN');
> }
> }
> }
>
> This helped me to make the following assumptions:
>
> * iframe security token is generated when loading the gadget
> * the gadget issues makeRequest with this security token
> * if the iframe security token timestamp is more than maxAge old
> (by default: 1 hour) INVALID_GADGET_TOKEN is thrown
> * if doing a simple refresh of the browser the timestamp of the
> security token doesn't change
> * if doing a full refresh of the browser the timestamp of the
> security token will be updated
>
> Are these assumptions correct ?
>
> We are using shindig in the context of a drupal/poker Free Software
> application (see http://pokersource.info/) where players can stay logged
> and play more than one hour on a website.
>
> What would be the appropriate strategy ?
> 1/ Raising token_max_age to a value bigger than drupal session timeout
> 2/ Forcing iframe full refresh from javascript when INVALID_GADGET_TOKEN
> is caught in HTTP 500 Error.
>
> Thanks in advance.
>
> --
> Johan Euphrosine <pr...@aminche.com>
> Development and services around Free Software
> http://www.aminche.com/
>
RE: INVALID_GADGET_TOKEN error
Posted by "Ciancetta, Jesse E." <jc...@mitre.org>.
Hi Johan,
There's an auth-refresh feature that ships with Shindig that sounds like it should help here. You can find more info on it here:
http://markmail.org/message/c2ixtrlqrvyt3tgg
and here:
https://issues.apache.org/jira/browse/SHINDIG-655
Hope that helps!
--Jesse
-----Original Message-----
From: Johan Euphrosine [mailto:proppy@gmail.com] On Behalf Of Johan Euphrosine
Sent: Friday, March 12, 2010 5:16 AM
To: dev@shindig.apache.org
Subject: INVALID_GADGET_TOKEN error
Hi,
I looked into shindig code figure out what could cause the
INVALID_GADGET_TOKEN error,
The following patch helped me to figure it out:
diff -r be446a9e9ff5 modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php
--- a/modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php Thu Feb 25 14:40:49 2010 +0100
+++ b/modules/shindig_integrator/shindig/php/src/common/sample/BasicBlobCrypter.php Thu Mar 11 14:41:48 2010 +0100
@@ -128,8 +128,15 @@
$minTime = (int)$out[$this->TIMESTAMP_KEY] - $this->CLOCK_SKEW_ALLOWANCE;
$maxTime = (int)$out[$this->TIMESTAMP_KEY] + $maxAge + $this->CLOCK_SKEW_ALLOWANCE;
$now = time();
+ $clock_skew_allowance = $this->CLOCK_SKEW_ALLOWANCE;
+ $timestamp_key = $this->TIMESTAMP_KEY;
+ $out_json = json_encode($out);
+ $minTimeStr = strftime("%Y-%m-%d %H:%M:%S", $minTime);
+ $maxTimeStr = strftime("%Y-%m-%d %H:%M:%S", $maxTime);
+ $nowStr = strftime("%Y-%m-%d %H:%M:%S", $now);
+ $timestampStr = strftime("%Y-%m-%d %H:%M:%S", (int)$out[$this->TIMESTAMP_KEY]);
if (! ($minTime < $now && $now < $maxTime)) {
- throw new BlobExpiredException("Security token expired");
+ throw new BlobExpiredException("Security token expired: maxAge: $maxAge clock_skew_allowance: $clock_skew_allowance timestamp_key: $timestamp_key out: $out_json timestamp:\
$timestampStr ! $minTimeStr < $nowStr < $maxTimeStr");
}
}
}
diff -r be446a9e9ff5 modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php
--- a/modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php Thu Feb 25 14:40:49 2010 +0100
+++ b/modules/shindig_integrator/shindig/php/src/common/sample/BasicSecurityTokenDecoder.php Thu Mar 11 14:41:48 2010 +0100
@@ -34,7 +34,7 @@
*/
public function createToken($stringToken) {
if (empty($stringToken) && ! empty($_GET['authz'])) {
- throw new GadgetException('INVALID_GADGET_TOKEN');
+ throw new GadgetException('INVALID_GADGET_TOKEN EMPTY');
}
try {
//TODO remove this once we have a better way to generate a fake token
@@ -46,7 +46,7 @@
return BasicSecurityToken::createFromToken($stringToken, Config::get('token_max_age'));
}
} catch (Exception $e) {
- throw new GadgetException('INVALID_GADGET_TOKEN');
+ throw $e;//new GadgetException('INVALID_GADGET_TOKEN');
}
}
}
This helped me to make the following assumptions:
* iframe security token is generated when loading the gadget
* the gadget issues makeRequest with this security token
* if the iframe security token timestamp is more than maxAge old
(by default: 1 hour) INVALID_GADGET_TOKEN is thrown
* if doing a simple refresh of the browser the timestamp of the
security token doesn't change
* if doing a full refresh of the browser the timestamp of the
security token will be updated
Are these assumptions correct ?
We are using shindig in the context of a drupal/poker Free Software
application (see http://pokersource.info/) where players can stay logged
and play more than one hour on a website.
What would be the appropriate strategy ?
1/ Raising token_max_age to a value bigger than drupal session timeout
2/ Forcing iframe full refresh from javascript when INVALID_GADGET_TOKEN
is caught in HTTP 500 Error.
Thanks in advance.
--
Johan Euphrosine <pr...@aminche.com>
Development and services around Free Software
http://www.aminche.com/