Auth Signatures/Sessions - Max lifetime, renewal, etc

Description
Current documentation on Generating Signatures doesn’t offer many details, or maybe I’m missing something… The example code includes:

let signature = "";
const iat = Math.round(new Date().getTime() / 1000);
const exp = iat + 60 * 60 * 2;

…which I assume is saying the expiration will be 2 hours in the future, though I’ve yet to test this.

Questions related to Signature/Session Lifetime:

  1. Is there a max lifetime? i.e. 24 hours?

  2. Does each user need their own unique signature, or can one signature be used per topic?
    Example of the latter, if 3 people were joining a topic named “teammeeting”:

    client.join('teammeeting', signature: 'aabbcc', username: 'mary', password: '1234').then(() ...
    
    client.join('teammeeting', signature: 'aabbcc', username: 'kimberly', password: '5324').then(() ...
    
    client.join('teammeeting', signature: 'aabbcc', username: 'michael', password: '8851').then(() ...
    
  3. If exp = 30 minutes, will the user be disconnected after 30 min? (this is the behavior with CPAAS vendors such as Agora)

    • If yes, is there a recommended way of seamlessly renewing sessions so the user does not experience interruption?
    • If no, I suppose renewal is a non-issue, since the user can stay as long as they’d like, and if they leave/re-join they can be issued a new signature.

Oh, I forgot passwords are topic-specific (I think), so the password in the above example would be the same for all users, instead of the 3 different passwords shown there.

But I don’t think this changes anything about my questions… topic-based signatures may still be possible, since the signature payload doesn’t seem to mandate any user-specific info:

const oPayload = {
  app_key: appKey,
  iat, exp, tpc: topic, pwd: passWord,
};
...
signature = KJUR.jws.JWS.sign('HS256', sHeader, sPayload, apiSecret);

I’ve done some testing on this…

Somewhere in the documentation it states that the max lifetime is 48 hours. I haven’t tested this limit, but have seen available error codes for it so I assume this is accurate. I’ve gone from 2 minutes to 24 hours with no issues, though.

The signatures are unique to topic && password. You can re-use a single signature for multiple users as long as it is within the expiration time. You can also use separate signatures for each user, so whatever works best for you should be fine.

From my testing, no. I set an expiration to 2m and my session remained active well after that expiration had ended. I think the expiration is only checked during join.

1 Like

You’re a life saver, thank you sir.

2 Likes

Thanks for sharing these answers @bekit ! :slight_smile:

@cscav , let us know if you have any other questions!

-Tommy