AWS Access Token Expires, causing 403 Forbidden responses
Closed this issue · 12 comments
First reported here by @PeytonRG: #1 (comment)
What We Know
- During the login process, the JWT is used to fetch an Access Token and Refresh Token.
- The Access Token expires after 24 hours
What We Don't Know
- How long it takes for the Refresh Token to expire
- The AWS endpoint used to validate and/or rotate Access and Refresh Tokens
Next Steps:
- Identify how the refresh token is used to obtain a new Access Token
When this happens, would it be feasible to just login with the provided credentials again to get fresh tokens. I think that could at least be a mitigation until the "correct" way is figured out.
@PeytonRG I'm testing this exactly locally on my NAS for the next 24 to 48 hours. If it looks like it's viable, I'll be submitting a PR shortly thereafter while we figure out how to properly rotate the tokens.
I just got the new update and re-enabled the plugin so I'll let you know if I run into this again.
@PeytonRG Sounds good - let me know know what you find, but I think it may still be an issue. If so, I think I've got a more robust fix in place that I'm hoping to try out here soon.
Thanks,
Jon
@PeytonRG just wanted to check in, especially with 1.0.7 being released. How are things looking for you?
Haven't had any issues so far on 1.0.7 since updating a day or two ago!
After updating a different plugin that I had disabled, then re-enabling it, I did see it throw up that error in the log but it looks like it was able to self-correct this time
After updating a different plugin that I had disabled, then re-enabling it, I did see it throw up that error in the log but it looks like it was able to self-correct this time
That's great to hear - definitely this is still a temp fix, but its good to see that it's healing it on it's own now. Thanks for the update!
I've had this happen again once on 1.0.8 where I had to restart Homebridge to get anything working again.
@PeytonRG thanks for the update. I'm definitely still having trouble identifying how the tokens are refreshed. What were you seeing in the logs when you would try to control the device, prior to having to restart Homebridge?
It's been a while and I wasn't able to copy those logs, but I believe it was the type error '0' one we've seen before. Anyway, on the latest 1.1.0 version, I've had to disable the plugin because it breaks HomeBridge with these errors.
[13/05/2022, 12:36:20] [BlueAir] Initializing BlueAir platform...
[13/05/2022, 12:36:20] [BlueAir] base_API_url: https://api.blueair.io/v2/user/<my_email_address>/homehost/
[13/05/2022, 12:36:20] Error: No region specified for Gigya API.
at new BlueAirAwsApi (/usr/lib/node_modules/@fjs21/homebridge-blueair/src/blueair-aws-api.ts:67:13)
at new BlueAirHomebridgePlatform (/usr/lib/node_modules/@fjs21/homebridge-blueair/src/platform.ts:42:25)
at /usr/lib/node_modules/homebridge/src/server.ts:442:40
at Array.forEach (<anonymous>)
at Server.loadPlatforms (/usr/lib/node_modules/homebridge/src/server.ts:374:27)
at Server.start (/usr/lib/node_modules/homebridge/src/server.ts:161:29)
[13/05/2022, 12:36:20] TypeError: Cannot read properties of undefined (reading 'gigyaRegion')
at BlueAirAwsApi.setAwsRegions (/usr/lib/node_modules/@fjs21/homebridge-blueair/src/blueair-aws-api.ts:85:49)
at new BlueAirAwsApi (/usr/lib/node_modules/@fjs21/homebridge-blueair/src/blueair-aws-api.ts:65:10)
at new BlueAirHomebridgePlatform (/usr/lib/node_modules/@fjs21/homebridge-blueair/src/platform.ts:42:25)
at /usr/lib/node_modules/homebridge/src/server.ts:442:40
at Array.forEach (<anonymous>)
at Server.loadPlatforms (/usr/lib/node_modules/homebridge/src/server.ts:374:27)
at Server.start (/usr/lib/node_modules/homebridge/src/server.ts:161:29)
[13/05/2022, 12:36:20] Got SIGTERM, shutting down Homebridge...