fusi0n
14Jul/11

OAuth, Timestamps and VPSes

Short URL for this post: http://plp.me/r0ro2F

During yesterday's #HackEmail, I was hacking away on a little Context.IO/Dropbox application to allow users to send files to their Dropbox by email.  I only had a few hours to come up with a working prototype to have a shot at taking first place and the glorious iPad that came with it... however, I ran into a problem.

See, the OAuth protocol uses timestamps and nonces to validate requests. Should the timestamp of the requestee be negative or inferior to the timestamp of the requested, the request will fail and the whole OAuth workflow will fail, and chances are you'll have no goddamn clue why. Fear not! I experienced it, so I had to understand it.

Here's what happened: first, I need to properly illustrate the data I was working with:

  • OAuth request sent to Context.IO (in the  "America/Montreal" (EST)  timezone);
  • OAuth request sent from my application's server  (in the "America/Chicago" (CST) timezone);
  • Server from which the request originates  is  a VPS from WebbyNode running Xen under Debian 6;

Now, there's a chance that, if you're in the same timezone or your timezones and date settings are properly set, all OAuth API calls will work just fine... but if the time would never change, there would be little reasons to make so many utilities to update it. So, it changes. If that happens, and it changes just enough to fail the OAuth check.. well that's where the problem is.

Having a Xen-powered VPS means that the system clock is controlled by the host (or the "parent" machine if you will). Whenever I would set the date to match the one of the server I was sending requests to, it would revert right back. It sucked. For a long time. The fix is pretty simple, you just have to know it:

echo 1 > /proc/sys/xen/independent_wallclock && ntpdate pool.ntp.org

If independent_wallclock exists, permissions won't let you pipe output to overwrite it, so use:

echo 1 >! /proc/sys/xen/independent_wallclock && ntpdate pool.ntp.org

After that, your timestamp should be good and the update you performed with ntpdate will finally stick.

Tagged as: , , ,
» «

Related

No related posts.

Friends