Invalid Token: TTL

[eraffaelli]

Hi,
First, thanks for your work releasing this lib.

I have a problem when decoding, it work for a few minutes (not exactly sure how much) but then after a while I got an TTL error. I am decoding a password multiple time so it may be the cause?

Here is my code :

let fernet_secret = new fernet.Secret(decryption_key),
        token = new fernet.Token({
            secret: fernet_secret,
            token: encrypted_password,
            ttl: ttl
        });

(at first I didn't set the ttl but I did it to test)
Here is the console log of the token after I created it :

token :  { secret:
   Secret {
     signingKeyHex: '22ed0b5d53898da008764e3351446b82',
     signingKey: { words: [Array], sigBytes: 16 },
     encryptionKeyHex: 'b74e36fa19fb0e1b3d87f7a36367c839',
     encryptionKey: { words: [Array], sigBytes: 16 } },
  ttl: 1652,
  message: undefined,
  cipherText: undefined,
  token: 'gAAAAABcRvXJncYHU1x5WsOQdoq0F5b5x0bAonutMiDqxS7IbZHBHUGWt3BukIhSAZp8tzfzMSRcUJMvjHiM_e-8hrViBYFrFw==',
  version: 128,
  optsIV: undefined,
  maxClockSkew: 60,
  time: { words: [ 0, 1548156260 ], sigBytes: 8 } }

And here is the error on the decode:

Error: Invalid Token: TTL
    at Token.decodeToken [as decode] (/project/node_modules/fernet/lib/token.js:65:15)
    at decrypt (/project/dist/functions.js:123:18)
    at Object.exports.get_password (/project/dist/functions.js:171:40)
    at <anonymous>
    at process._tickCallback (internal/process/next_tick.js:118:7)
/project/node_modules/fernet/lib/token.js:6

Can you tell me more about the ttl? What is it's purpose? The duration of the validity for the Token just created? The duration for a password to be decoded? (which is why I tried to add the TTL manually, same TTL as the one I choose for this password).

Cheer

[dimonleonov]

I have same problem.
I dunno, why this happens, but in client/server architecture this lines in new fernet.Token is solved my problem.
ttl: 1652 (increase ttl fixes 'Error: Invalid Token: TTL' problem)
maxClockSkew: 80 (increase max clock skew can fix problem with "too-low timestamp")

p.s. I hope since then no one else has encountered such an error. But still, I'll leave this entry here. Suddenly, this help someone :D
p.p.s in backend i`m used Fernet python module

[mraleson]

From looking at Fernet. The ttl parameter is basically an expiration in seconds of the encrypted data. You can select this when you decode, ttl is not baked into the encrypted data.

When the data is encrypted, a timestamp is saved with your encrypted data. When your decrypting you can optionally pass in ttl if you want to reject tokens that are ttl seconds old. Basically with a ttl decrypt will fail if your current time is greater than the original timestamp + ttl.

It also checks if the timestamp on the encrypted message is basically in the future, which is invalid. Max clock skew is a grace period in case your computer's clock is slightly out of sync with the clock on computer that encrypted. So if fails if current time + clock_skew < timestamp, meaning it looks like it was encrypted in the future which means the clocks are out of sync.

Here is the Python implementation's code for checking ttl:
https://github.com/pyca/cryptography/blob/25f7005f2698bac5c7a1374c0f54782884385a64/src/cryptography/fernet.py#L143