fix(agent): sync time if ingress expiry is invalid in read_state

Author: ilbertt

CHANGELOG.md

@@ -24,6 +24,7 @@ See the [v5 upgrading guide](https://js.icp.build/core/latest/upgrading/v5/) for
 - fix(agent): check if canister is in ranges for certificates without delegation
 - fix(agent): verify all query signatures instead of only the first one
 - fix(agent): sync time if ingress expiry is invalid in queries
+- fix(agent): sync time if ingress expiry is invalid in read_state
 - fix(agent): sync time before retrying if query signature is outdated
 - fix(agent,identity/secp256k1): remove `console.*` statements
 - refactor(agent): only declare IC URLs once in the `HttpAgent` class

docs/src/content/docs/upgrading/v5.md

@@ -217,7 +217,7 @@ The `@dfinity/assets` package has been deprecated. Its functionality is now part
 
 ## Fixes
 
-This release includes minor security improvements to how query responses are validated, strengthening certificate verification and query signature checks.
+This release includes minor security improvements to how `query` and `read_state` responses are validated, strengthening certificate verification and query/read_state signature checks.
 
 ---
 

e2e/node/basic/syncTime.test.ts

@@ -279,6 +279,45 @@ describe('syncTime', () => {
       expect(mockReplica.getV3ReadStateSpy(canisterId.toString())).toHaveBeenCalledTimes(4);
       expect(agent.hasSyncedTime()).toBe(true);
     });
+
+    it('should sync time when the local time does not match the subnet time (read_state)', async () => {
+      const agent = await HttpAgent.create({
+        host: mockReplica.address,
+        rootKey: rootSubnetKeyPair.publicKeyDer,
+        identity,
+      });
+
+      mockReplica.setV3ReadStateSpyImplOnce(canisterId.toString(), (_req, res) => {
+        res.status(400).send(new TextEncoder().encode(INVALID_EXPIRY_ERROR));
+      });
+
+      await mockSyncTimeResponse({
+        mockReplica,
+        rootSubnetKeyPair,
+        keyPair,
+        canisterId: ICP_LEDGER,
+      });
+
+      const { responseBody: readStateResponse } = await prepareV3ReadStateResponse({
+        nodeIdentity,
+        canisterRanges: [[canisterId.toUint8Array(), canisterId.toUint8Array()]],
+        rootSubnetKeyPair,
+        keyPair,
+        date,
+      });
+      mockReplica.setV3ReadStateSpyImplOnce(canisterId.toString(), (_req, res) => {
+        res.status(200).send(readStateResponse);
+      });
+
+      const response = await agent.readState(canisterId, {
+        paths: [[new TextEncoder().encode('time')]],
+      });
+
+      expect(response.certificate).toBeDefined();
+      expect(mockReplica.getV3ReadStateSpy(canisterId.toString())).toHaveBeenCalledTimes(2);
+      expect(mockReplica.getV3ReadStateSpy(ICP_LEDGER)).toHaveBeenCalledTimes(3);
+      expect(agent.hasSyncedTime()).toBe(true);
+    });
   });
 
   describe('on async creation', () => {

packages/core/src/agent/agent/http/index.ts

@@ -1190,6 +1190,12 @@ export class HttpAgent implements Agent {
     } catch (error) {
       let readStateError: AgentError;
       if (error instanceof AgentError) {
+        if (error.hasCode(IngressExpiryInvalidErrorCode) && !this.#hasSyncedTime) {
+          // if there is an ingress expiry error and the time has not been synced yet,
+          // sync time with the network and try again
+          await this.syncTime();
+          return await this.#readStateInner(url, transformedRequest, requestId);
+        }
         // override the error code to include the request details
         error.code.requestContext = {
           requestId: requestId ?? requestIdOf(transformedRequest),