fix: use server time for fingerprint timestamps to prevent clock drift rejections

Fingerprint validation was failing with "Timestamp expired" for users whose
local clock drifted beyond the server's tolerance. Now we fetch the server's
time via health.getTime() once per session and use it for all fingerprint
timestamps, eliminating dependency on the user's local clock.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lohanidamodar

src/lib/helpers/fingerprint.ts

@@ -3,6 +3,37 @@ import { env } from '$env/dynamic/public';
 const SECRET = env.PUBLIC_CONSOLE_FINGERPRINT_KEY ?? '';
 const CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
 
+/** Cached server timestamp and the local time it was fetched at, for interpolation. */
+let serverTimeCache: { serverSecs: number; fetchedAtMs: number } | null = null;
+
+/**
+ * Fetch and cache the server's clock so fingerprint timestamps always align
+ * with the backend's clock, regardless of local clock drift.
+ *
+ * @param getServerTime - callback that returns the server's unix timestamp in seconds
+ *                        (e.g. `health.getTime()` → `response.localTime`)
+ */
+export async function syncServerTime(
+    getServerTime: () => Promise<number>
+): Promise<void> {
+    if (serverTimeCache) return;
+    try {
+        const fetchedAtMs = Date.now();
+        const serverSecs = await getServerTime();
+        serverTimeCache = { serverSecs, fetchedAtMs };
+    } catch {
+        console.warn('Failed to sync server time for fingerprint');
+    }
+}
+
+function getServerTimestamp(): number {
+    if (!serverTimeCache) {
+        return Math.floor(Date.now() / 1000);
+    }
+    const elapsedSecs = Math.floor((Date.now() - serverTimeCache.fetchedAtMs) / 1000);
+    return serverTimeCache.serverSecs + elapsedSecs;
+}
+
 async function sha256(message: string): Promise<string> {
     if (!crypto?.subtle) {
         console.warn('crypto.subtle unavailable, fingerprinting disabled');
@@ -204,7 +235,7 @@ export async function generateFingerprintToken(): Promise<string> {
 
     const signals: BrowserSignals = {
         ...staticSignals,
-        timestamp: Math.floor(Date.now() / 1000)
+        timestamp: getServerTimestamp()
     };
 
     const payload = JSON.stringify(signals);

src/routes/(console)/project-[region]-[project]/+layout.ts

@@ -11,7 +11,7 @@ import { loadAvailableRegions } from '$routes/(console)/regions';
 import { type Models, Platform } from '@appwrite.io/console';
 import { redirect } from '@sveltejs/kit';
 import { resolve } from '$app/paths';
-import { generateFingerprintToken } from '$lib/helpers/fingerprint';
+import { generateFingerprintToken, syncServerTime } from '$lib/helpers/fingerprint';
 import { normalizeConsoleVariables } from '$lib/helpers/domains';
 import { browser } from '$app/environment';
 
@@ -107,7 +107,11 @@ export const load: LayoutLoad = async ({ params, depends, parent }) => {
     // Track console access for cloud projects (fire-and-forget, backend has 6-day cooldown).
     // Skip if paused — user must explicitly resume via the paused project modal.
     if (isCloud && browser && project.status !== 'paused') {
-        generateFingerprintToken()
+        syncServerTime(async () => {
+                const { localTime } = await sdk.forConsole.health.getTime();
+                return localTime;
+            })
+            .then(() => generateFingerprintToken())
             .then((fingerprint) => {
                 sdk.forConsole.client.headers['X-Appwrite-Console-Fingerprint'] = fingerprint;
                 return sdk.forConsole.projects.updateConsoleAccess({

src/routes/(console)/project-[region]-[project]/pausedProjectModal.svelte

@@ -6,7 +6,7 @@
     import { Dependencies } from '$lib/constants';
     import { addNotification } from '$lib/stores/notifications';
     import { Submit, trackError } from '$lib/actions/analytics';
-    import { generateFingerprintToken } from '$lib/helpers/fingerprint';
+    import { generateFingerprintToken, syncServerTime } from '$lib/helpers/fingerprint';
     import { Alert, Layout, Modal, Typography } from '@appwrite.io/pink-svelte';
     import { Status } from '@appwrite.io/console';
 
@@ -28,6 +28,10 @@
         error = null;
 
         try {
+            await syncServerTime(async () => {
+                const { localTime } = await sdk.forConsole.health.getTime();
+                return localTime;
+            });
             const fingerprint = await generateFingerprintToken();
             sdk.forConsole.client.headers['X-Appwrite-Console-Fingerprint'] = fingerprint;