Improve error message for bad timestamps

Summary: Ref T3031. While we should probably do more than this, provide a more useful error message so I don't have to make users run `date` and such. Test Plan: Added `|| true` and ran `arc list`: $ arc list --conduit-uri=http://local.aphront.com:8080/ Exception ERR-INVALID-TOKEN: The request you submitted is signed with a timestamp, but that timestamp is not within 15 m of the current time. The signed timestamp is 1375454102 (Fri, 02 Aug 2013 07:35:02 -0700), and the current server time is 1375454102 (Fri, 02 Aug 2013 07:35:02 -0700). This is a differnce of 0 seconds, but the timestamps must differ from the server time by no more than 900 seconds. Your client or server clock may not be set correctly. (Run with --trace for a full exception trace.) Reviewers: btrahan, chad Reviewed By: chad CC: aran Maniphest Tasks: T3031 Differential Revision: https://secure.phabricator.com/D6653
2024-09-20 09:18:48 +02:00 · 2013-08-02 07:38:59 -07:00 · 2013-08-02 07:38:59 -07:00 · f0857e4fd8
commit f0857e4fd8
parent 6c7f36f6b8
1 changed files with 20 additions and 2 deletions
--- a/src/applications/conduit/method/ConduitAPI_conduit_connect_Method.php
+++ b/src/applications/conduit/method/ConduitAPI_conduit_connect_Method.php
@ -117,8 +117,26 @@ final class ConduitAPI_conduit_connect_Method extends ConduitAPIMethod {

    $session_key = null;
    if ($token && $signature) {
-      if (abs($token - time()) > 60 * 15) {
-        throw new ConduitException('ERR-INVALID-TOKEN');
+      $threshold = 60 * 15;
+      $now = time();
+      if (abs($token - $now) > $threshold) {
+        throw id(new ConduitException('ERR-INVALID-TOKEN'))
+          ->setErrorDescription(
+            pht(
+              "The request you submitted is signed with a timestamp, but that ".
+              "timestamp is not within %s of the current time. The ".
+              "signed timestamp is %s (%s), and the current server time is ".
+              "%s (%s). This is a difference of %s seconds, but the ".
+              "timestamp must differ from the server time by no more than ".
+              "%s seconds. Your client or server clock may not be set ".
+              "correctly.",
+              phabricator_format_relative_time($threshold),
+              $token,
+              date('r', $token),
+              $now,
+              date('r', $now),
+              ($token - $now),
+              $threshold));
      }
      $valid = sha1($token.$user->getConduitCertificate());
      if ($valid != $signature) {