astroband · nebolsin · Feb 18, 2022 · Feb 10, 2022 · Feb 18, 2022 · Feb 18, 2022
diff --git a/sdk/lib/stellar/sep10.rb b/sdk/lib/stellar/sep10.rb
@@ -4,6 +4,10 @@ class InvalidSep10ChallengeError < StandardError; end
   class SEP10
     include Stellar::DSL
 
+    # We use a small grace period for the challenge transaction time bounds
+    # to compensate possible clock drift on client's machine
+    GRACE_PERIOD = 5.minutes
+
     # Helper method to create a valid {SEP0010}[https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md]
     # challenge transaction which you can use for Stellar Web Authentication.
     #
@@ -157,7 +161,7 @@ def self.read_challenge_tx(server:, challenge_xdr:, **options)
       time_bounds = transaction.time_bounds
       now = Time.now.to_i
 
-      if time_bounds.blank? || !now.between?(time_bounds.min_time, time_bounds.max_time)
+      if time_bounds.blank? || !now.between?(time_bounds.min_time - GRACE_PERIOD, time_bounds.max_time + GRACE_PERIOD)
         raise InvalidSep10ChallengeError, "The transaction has expired"
       end
 

diff --git a/sdk/spec/lib/stellar/sep10_spec.rb b/sdk/spec/lib/stellar/sep10_spec.rb
@@ -181,23 +181,41 @@
       expect { read_challenge }.to raise_invalid("is not signed by the server")
     end
 
-    it "throws an error if transaction does not contain timeBounds" do
-      transaction.time_bounds = nil
+    describe "transaction time bounds" do
+      context "when transaction does not contain timeBounds" do
+        before { transaction.time_bounds = nil }
 
-      expect { read_challenge }.to raise_invalid("has expired")
-    end
+        it "throws an error" do
+          expect { read_challenge }.to raise_invalid("has expired")
+        end
+      end
 
-    it "throws an error if challenge is expired" do
-      transaction.time_bounds = Stellar::TimeBounds.new(min_time: 0, max_time: 5)
+      it "uses 5 minutes grace period for validation" do
+        now = Time.now.to_i
 
-      expect { read_challenge }.to raise_invalid("has expired")
-    end
+        transaction.time_bounds = Stellar::TimeBounds.new(min_time: now + 1.minute, max_time: now + 2.minutes)
+        expect { read_challenge }.not_to raise_error
+
+        transaction.time_bounds = Stellar::TimeBounds.new(min_time: now - 2.minutes, max_time: now - 1.minute)
+        expect { read_challenge }.not_to raise_error
+      end
 
-    it "throws an error if challenge is in the future" do
-      now = Time.now.to_i
-      transaction.time_bounds = Stellar::TimeBounds.new(min_time: now + 100, max_time: now + 500)
+      context "when challenge is expired beyond grace period" do
+        before { transaction.time_bounds = Stellar::TimeBounds.new(min_time: 0, max_time: 5) }
 
-      expect { read_challenge }.to raise_invalid("has expired")
+        it "throws an error if challenge is expired" do
+          expect { read_challenge }.to raise_invalid("has expired")
+        end
+      end
+
+      context "when challenge is in the future beyond grace period" do
+        it "throws an error" do
+          now = Time.now.to_i
+          transaction.time_bounds = Stellar::TimeBounds.new(min_time: now + 6.minutes, max_time: now + 7.minutes)
+
+          expect { read_challenge }.to raise_invalid("has expired")
+        end
+      end
     end
 
     it "throws an error if provided auth domain is wrong" do