Unauthorized exception with jwt > 2.8.2

[mohamedhafez]

When I update to any version of the jwt gem > 2.8.2, I randomly and non-deterministically get errors like this when sending out webpushes:

class: WebPush::Unauthorized
host: [fcm.googleapis.com](http://fcm.googleapis.com/), #<Net::HTTPForbidden 403 Forbidden readbody=true>
body:
permission denied: invalid JWT provided

A bunch of changes to jwt claim validators were introduced after version 2.8.2, so I bet the issue has to do with that.

I'm using JRuby 9.4.9.0 (latest version, compatible with Ruby 3.1), and a forked version of this gem that just edits out the commit to use the internal hkdf, to work around the fact that JRuby doesn't support it yet.

[collimarco]

Thanks for reporting your issue.

1. Maybe you can try to diff the output (request) generated using jwt gem = 2.8.2 and a later version? In that case the bug/regression could be reported directly to the jwt gem.

2. Also, have you tried to use MRI instead of JRuby and see if you get the same output? In that case it would be a problem with JRuby.

We are using jwt 2.9.3 (latest version) with MRI 3.3.6 (latest version) and I didn't notice major disruptions to the push service... however since you are describing an intermitted problem maybe it affects only a few requests.

If anyone else is experiencing this it would be useful to report the problem here.

[mohamedhafez]

This seems to happen once for every few thousand requests, so I don't think it would cause major disruptions. In addition to the 403 responses from Google, I'm getting these from Mozilla:

class: WebPush::Unauthorized
host: [updates.push.services.mozilla.com](http://updates.push.services.mozilla.com/), #<Net::HTTPUnauthorized 401 Unauthorized readbody=true>
body:
{"code":401,"errno":109,"error":"Unauthorized","message":"InvalidSignature","more_info":"http://autopush.readthedocs.io/en/latest/http.html#error-codes"}

Perhaps you could check your logs for any 403's from Google or 401's from Mozilla? For me i literally never got those before at all.

[mohamedhafez]

Perhaps I could log all the inputs to the single JWT.encode call, and then when I get one of these errors, I can retry offline with MRI and with different versions of the JWT gem to see the different outputs.

[mohamedhafez]

Dang, it looks like the JWT.encode call will return different outputs if you call it multiple times:

>> JWT.encode($jwt_payload, vapid_key.curve, 'ES256', $jwt_header_fields) == JWT.encode($jwt_payload, vapid_key.curve, 'ES256', $jwt_header_fields)
=> false

I assume it's doing some kind of salting of the signature. Any thoughts on how to reproduce the issue then? I suppose I could save the payload and header fields from a bad request, and see if i retry later if the error also occurs. Perhaps it will, and then we know it's something about specific values, but my hunch is that it won't and it's something about that salt or whatever it's doing to make each signature unique that is causing the issue

[collimarco]

Based on the error returned by Mozilla push service, the problem is related to VAPID:

401 - Bad Authorization - Authorization header is invalid or missing. See the VAPID specification.
errno 109 - Invalid authentication

VAPID behavior for this gem is defined in this file:
https://github.com/pushpad/web-push/blob/master/lib/web_push/vapid_key.rb

As you can see VAPID uses OpenSSL::PKey::EC, which is Elliptic-curve cryptography... and that is hard to test because the output of the signature is different each time. The choice of the algorithm was made by the standard, not by this gem in particular.

[mohamedhafez]

So PushPad does tons of web pushes every day right? Have you noticed any 401's at all while running with the latest jwt gem? Because they shouldn't be happening ever right? At least they never did for me.

It's tempting to think that the issue is with the vapid key signing or with JRuby's java implementation of openssl which is used in that vapid_key.rb a ton... but then why would it work perfectly fine under jwt 2.8.2 and only produce these errors in jwt 2.9.x? 🤔

[mohamedhafez]

Ok, I logged an example payload, header, and output jwt generated by JWT.encode call in request.rb that resulted in the 403 from google.

When I plug it in to JWT.io to try to verify it, it says the signature is invalid! So yeah something is going wrong with that JWT.encode call where it's generating bad signatures!

The problem is reproducing... with the exact same version of JRuby and jwt gem, if I manually run the JWT.encode call using the same payload, header, and vapid_key, it spits out a jwt that JWT.io says DOES has a valid signature 🤷‍♀️🤷‍♀️. So the problem happens non-deterministically once very few thousand signatures or so.

So it sounds like this is an issue that should be raised with https://github.com/jwt/ruby-jwt directly huh?

Out of an abundance of paranoia, just wanted to double check, it's ok to post that outputted jwt publically isn't it? it'll reveal my email, that sucks, but aside from that there's no way it'll include my private key or anything, correct?

[collimarco]

So PushPad does tons of web pushes every day right? Have you noticed any 401's at all while running with the latest jwt gem?

We are using jwt 2.9.3 with MRI 3.3.6 for Pushpad. I searched the errors that you reported above ("invalid JWT provided" or "InvalidSignature") and they are not present in our logs. So this seems a problem only in your configuration.

So the problem happens non-deterministically once very few thousand signatures or so.

I see, that is really hard to debug. If there was a way to test the JWT validation programmatically you could run the same JWT generation thousands of times, in a loop, and detect the invalid signatures... Then you could post that reproduction script as a bug in the JWT repository.

it's ok to post that outputted jwt publically isn't it? it'll reveal my email, that sucks, but aside from that there's no way it'll include my private key or anything, correct?

It will allow an attacker to repeat that push request, until the JWT expires.... apart from that, it should not reveal your private keys (the jwt is just the payload with a signature). In any case I am also paranoid on this kind of things and in general I would not post these things publicly (maybe only by email with a maintainer or a collaborator of the other project).

[collimarco]

Another simple thing that you can try is to run the test suite of this gem thousands of times with your specific configuration and see if you get any errors (randomly) from the tests. You can even try with different configurations (e.g. MRI vs JRuby, or different JWT versions) and see if the errors persist. I also wonder if this is somewhat related.

[mohamedhafez]

Got a reproduction script! Basically its a bug with JRuby (probably JRuby's implementation of OpenSSL), that only happens when multiple threads are trying to create JWT's at the same time. I'll file a bug report with them, thanks for the help! 🙏