Skip to content

fix(auth): tolerate device clock skew in login timestamp check#113

Merged
ddulic merged 2 commits into
mainfrom
fix/login-timestamp-skew-tolerance
Jun 28, 2026
Merged

fix(auth): tolerate device clock skew in login timestamp check#113
ddulic merged 2 commits into
mainfrom
fix/login-timestamp-skew-tolerance

Conversation

@ddulic

@ddulic ddulic commented Jun 28, 2026

Copy link
Copy Markdown
Owner

Summary

  • Replaces the exact timestamp equality check in verify_login_hash with a 5-minute tolerance window matching the challenge TTL
  • The Supernote Nomad sends its own local epoch time in the login request (not an echo of the server's challenge timestamp), so any device clock drift triggered a silent auth failure displayed as "System time is incorrect"
  • The random_code nonce + TTL already provides full replay protection, so strict equality was unnecessarily fragile
  • Promotes all verify_login_hash failure paths from silent return False to logger.warning with specific context (skew diff in ms, stored vs client timestamps) to make future auth failures diagnosable from logs

Test plan

  • All existing auth/login tests pass (160 passed)
  • Full suite passes excluding pre-existing failures in test_web_parity.py (819 passed)
  • Pre-commit hooks pass (ruff, mypy, pytest)

https://claude.ai/code/session_01UgzvCBzPZ9Yvv8nANjtYv3

The `verify_login_hash` check required the client timestamp to exactly
equal the server's stored challenge timestamp. The Supernote device sends
its own local epoch time in the login request, so any clock drift (e.g.
from disabling NTP and manually setting a timezone) caused a silent auth
failure that the device surfaced as "System time is incorrect".

Replace the exact equality check with a tolerance window matching the
challenge TTL (5 minutes). The random_code nonce + TTL already provides
replay protection, so strict equality was over-constraining.

Also promote all verify_login_hash failure paths from silent returns to
logger.warning with enough context (skew diff in ms, stored vs client
timestamps) to diagnose auth failures without needing to reproduce them.

Claude-Session: https://claude.ai/code/session_01UgzvCBzPZ9Yvv8nANjtYv3
@codecov

codecov Bot commented Jun 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Covers all new code paths introduced in the timestamp skew fix:
exact timestamp match, small skew within tolerance, skew exceeding
the TTL window, non-numeric timestamp, missing challenge, wrong hash,
and unknown user.

Claude-Session: https://claude.ai/code/session_01UgzvCBzPZ9Yvv8nANjtYv3
@ddulic ddulic merged commit c65b75a into main Jun 28, 2026
8 checks passed
@ddulic ddulic deleted the fix/login-timestamp-skew-tolerance branch June 28, 2026 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant