Server Time Security

Server Time Security Implementation

Overview

The countdown timer now uses server-based timestamps to prevent client-side time manipulation. This ensures that promotional deadlines cannot be bypassed by users changing their system clock.

Architecture

1. Server Time API (`/api/time`)

Endpoint: GET /api/time
Response: { serverTime: number, requestTime: number | null }
Cache Headers: no-store, no-cache to ensure fresh timestamps
Security: No client input processing, returns authoritative server time

2. Client-Side Time Sync

The CountdownTimer component implements a sophisticated time synchronization system:

Initial Sync

On page load, fetches server time immediately
Calculates network latency (round-trip time)
Compensates for latency by adding half the round-trip time
Stores the offset between server and client time

Periodic Resync

Automatically resyncs every 5 minutes
Prevents long-running sessions from drifting
Non-blocking: countdown continues during resync

Time Calculation

getCurrentTime() = Date.now() + serverTimeOffset;

Security Features

1. Server Authority

Server time is the single source of truth
Client time is only used as a base for offset calculation
Cannot be manipulated without compromising the server

2. Network Latency Compensation

Measures round-trip time for each request
Assumes symmetric latency (reasonable for most networks)
Adds half the RTT to server time for accuracy

3. Fallback Handling

If server time fetch fails, logs error and continues
Prevents countdown from breaking due to network issues
Console logs provide debugging information

4. Periodic Validation

Resyncs every 5 minutes to prevent drift
Ensures long-running sessions stay accurate
Background sync doesn’t interrupt countdown display

Testing

Manual Test: Time Manipulation

Open DevTools Console and note the initial countdown
Change system time forward by 1 hour
Observe: Countdown should NOT skip ahead
Check console for sync logs: [Countdown] Server time synced. Offset: XXX ms
Refresh page: Countdown should show correct time from server

Automated Testing

// Test server time endpoint
fetch('/api/time')
  .then((r) => r.json())
  .then((data) => {
    console.log('Server time:', new Date(data.serverTime));
    console.log('Client time:', new Date());
    console.log('Difference (ms):', data.serverTime - Date.now());
  });

Implementation Details

Server Time Offset Calculation

Request Start (Client) ─────►
                              Server Processing
Response Received (Client) ◄──────

Round Trip Time = Response Time - Request Time
Network Latency (one way) ≈ RTT / 2

Estimated Server Time = Server Time + (RTT / 2)
Server Time Offset = Estimated Server Time - Client Time

Drift Prevention

The system checks if current time minus last sync time exceeds the sync interval:

if (clientTime - lastSyncTime > SYNC_INTERVAL) {
  syncServerTime(); // Non-blocking async resync
}

Limitations

Network Latency Accuracy: Assumes symmetric latency. In reality, request and response times may differ.
Failover to Client Time: If server is unreachable, falls back to client time (with console error).
5-Minute Sync Interval: Long enough to reduce server load, but short enough to catch major time changes.

Future Enhancements

Add visual indicator when server sync fails
Implement exponential backoff for failed sync attempts
Use multiple sync samples to improve accuracy
Add server-side deadline validation for purchases
Implement NTP-style time synchronization algorithm

Security Best Practices

Always validate deadlines on the server when processing purchases
Never trust client-side countdown for business logic
Log suspicious activities (e.g., multiple failed syncs)
Rate limit the /api/time endpoint to prevent abuse
Use HTTPS to prevent man-in-the-middle time manipulation