From f0857e4fd817701edbf126ac9645cf23c6d65bc6 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Fri, 2 Aug 2013 07:38:59 -0700
Subject: [PATCH] Improve error message for bad timestamps

Summary: Ref T3031. While we should probably do more than this, provide a more useful error message so I don't have to make users run `date` and such.

Test Plan:
Added `|| true` and ran `arc list`:

  $ arc list --conduit-uri=http://local.aphront.com:8080/
  Exception
  ERR-INVALID-TOKEN: The request you submitted is signed with a timestamp, but that timestamp is not within 15 m of the current time. The signed timestamp is 1375454102 (Fri, 02 Aug 2013 07:35:02 -0700), and the current server time is 1375454102 (Fri, 02 Aug 2013 07:35:02 -0700). This is a differnce of 0 seconds, but the timestamps must differ from the server time by no more than 900 seconds. Your client or server clock may not be set correctly.
  (Run with --trace for a full exception trace.)

Reviewers: btrahan, chad

Reviewed By: chad

CC: aran

Maniphest Tasks: T3031

Differential Revision: https://secure.phabricator.com/D6653
---
 .../ConduitAPI_conduit_connect_Method.php     | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/applications/conduit/method/ConduitAPI_conduit_connect_Method.php b/src/applications/conduit/method/ConduitAPI_conduit_connect_Method.php
index 080b530de2..00887d6b4d 100644
--- a/src/applications/conduit/method/ConduitAPI_conduit_connect_Method.php
+++ b/src/applications/conduit/method/ConduitAPI_conduit_connect_Method.php
@@ -117,8 +117,26 @@ final class ConduitAPI_conduit_connect_Method extends ConduitAPIMethod {
 
     $session_key = null;
     if ($token && $signature) {
-      if (abs($token - time()) > 60 * 15) {
-        throw new ConduitException('ERR-INVALID-TOKEN');
+      $threshold = 60 * 15;
+      $now = time();
+      if (abs($token - $now) > $threshold) {
+        throw id(new ConduitException('ERR-INVALID-TOKEN'))
+          ->setErrorDescription(
+            pht(
+              "The request you submitted is signed with a timestamp, but that ".
+              "timestamp is not within %s of the current time. The ".
+              "signed timestamp is %s (%s), and the current server time is ".
+              "%s (%s). This is a difference of %s seconds, but the ".
+              "timestamp must differ from the server time by no more than ".
+              "%s seconds. Your client or server clock may not be set ".
+              "correctly.",
+              phabricator_format_relative_time($threshold),
+              $token,
+              date('r', $token),
+              $now,
+              date('r', $now),
+              ($token - $now),
+              $threshold));
       }
       $valid = sha1($token.$user->getConduitCertificate());
       if ($valid != $signature) {