fix(app authentication): Handle time difference between system and GitHub API time in JWT claims

[copperwall]

This adds error handling behavior for when app authentication fails due
to a mismatch in system times between the local machine and GitHub's API
servers. If an expiration (exp) or issued_at (iat) claim in the JWT
payload is invalid, the difference between the system time and GitHub's
server time is stored and further requests are made with JWTs that
include that time difference when creating the exp and iat claims.

Also, this is pending on changes in gr2m/universal-github-app-jwt#28. I tested it locally by npm linking the changes from that PR into this branch so the tests should pass when those changes get merged in. If there's any changes in that PR I'll update the library usage in this one too.

fixes #146
fixes probot/probot#1258
fixes https://github.com/octokit/rest.js/issues/1832

[gr2m]

Ooops! I found a pending review that I forgot to submit, sorry!

Also gr2m/universal-github-app-jwt#28 is merged and released now, could you finish this up?

[copperwall]

oh whoops sorry! I was out of town for a week or so, so I'm just seeing this review. I'll get back on this tomorrow

[gr2m]

no worries at all, thanks Chris!

[gr2m]

Are you still working on this?

I'm a bit confused that we are setting now which is a UNIX epoch as milliseconds to timeDifference which seems to be a time difference in seconds? Or am I missing something?

[copperwall]

Ah sorry I missed that, the githubAppJwt value for now should be the current time in seconds, not the difference in seconds from the GitHub time. I'm adding a fix for that right now.

[gr2m]

What concerns me is that despite your fix in 8f66a4b, all tests passed in 516c839. Do you think there is something that is not covered by tests? I'm concerned about future regressions we might miss

[copperwall]

I agree, I was thinking about that a little considering everything was passing with the previous commit. I think because I was using a mocked Date.now of 0 instead of some other non-zero value, the difference passed in was effectively the same as if the current time plus the difference in GitHub time was passed in.

I'll have to try out another test case that breaks with 516c839 but passes with 8f66a4b, since that really should've happened.

[gr2m]

Looking good now, I confirmed locally that the test introduced in b61b705 fails when 8f66a4b is not present, and it passes when 8f66a4b is present. Anything left to do on your side or is this ready for a final review?

[copperwall]

Thanks for confirming that on your end too (and for all the feedback so far, I really appreciate it), I think this is ready for a final review now

[gr2m]

This is really, really great work. Thank you @copperwall 🏆

[github-actions]

🎉 This PR is included in version 2.5.1 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

[copperwall]

Thanks so much @gr2m!