Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

fix(auth): prevent random logouts by fixing overly aggressive token clearing #14568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
anivar wants to merge 3 commits into aws-amplify:main
base: main
Choose a base branch
Loading
from anivar:fix/auth-logout-issue-14534
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
View file Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@ describe('tokenOrchestrator', () => {
});

describe('handleErrors method', () => {
beforeEach(() => {
jest.clearAllMocks();
});

it('does not call clearTokens() if the error is a network error thrown from fetch handler', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
Expand All @@ -109,5 +113,102 @@ describe('tokenOrchestrator', () => {

expect(clearTokensSpy).not.toHaveBeenCalled();
});

it('calls clearTokens() for NotAuthorizedException', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
name: 'NotAuthorizedException',
message: 'Not authorized',
});

const result = (tokenOrchestrator as any).handleErrors(error);

expect(clearTokensSpy).toHaveBeenCalled();
expect(result).toBeNull();
});

it('calls clearTokens() for TokenRevokedException', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
name: 'TokenRevokedException',
message: 'Token revoked',
});

expect(() => {
(tokenOrchestrator as any).handleErrors(error);
}).toThrow(error);

expect(clearTokensSpy).toHaveBeenCalled();
});

it('calls clearTokens() for UserNotFoundException', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
name: 'UserNotFoundException',
message: 'User not found',
});

expect(() => {
(tokenOrchestrator as any).handleErrors(error);
}).toThrow(error);

expect(clearTokensSpy).toHaveBeenCalled();
});

it('does not call clearTokens() for service errors (500)', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
name: 'InternalServerError',
message: 'Internal server error',
});

expect(() => {
(tokenOrchestrator as any).handleErrors(error);
}).toThrow(error);

expect(clearTokensSpy).not.toHaveBeenCalled();
});

it('does not call clearTokens() for rate limit errors', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
name: 'TooManyRequestsException',
message: 'Too many requests',
});

expect(() => {
(tokenOrchestrator as any).handleErrors(error);
}).toThrow(error);

expect(clearTokensSpy).not.toHaveBeenCalled();
});

it('does not call clearTokens() for throttling errors', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
name: 'ThrottlingException',
message: 'Request throttled',
});

expect(() => {
(tokenOrchestrator as any).handleErrors(error);
}).toThrow(error);

expect(clearTokensSpy).not.toHaveBeenCalled();
});

it('does not call clearTokens() for temporary service issues', () => {
const clearTokensSpy = jest.spyOn(tokenOrchestrator, 'clearTokens');
const error = new AmplifyError({
name: 'ServiceUnavailable',
message: 'Service temporarily unavailable',
});

expect(() => {
(tokenOrchestrator as any).handleErrors(error);
}).toThrow(error);

expect(clearTokensSpy).not.toHaveBeenCalled();
});
});
});
View file Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import {
} from '@aws-amplify/core';
import {
AMPLIFY_SYMBOL,
AmplifyErrorCode,
assertTokenProviderConfig,
isBrowser,
isTokenExpired,
Expand Down Expand Up @@ -170,10 +169,15 @@ export class TokenOrchestrator implements AuthTokenOrchestrator {

private handleErrors(err: unknown) {
assertServiceError(err);
if (err.name !== AmplifyErrorCode.NetworkError) {
// TODO(v6): Check errors on client

// Only clear tokens for definitive authentication failures
// Do NOT clear tokens for transient errors like service issues, rate limits, etc.
const shouldClearTokens = this.isAuthenticationError(err);

if (shouldClearTokens) {
this.clearTokens();
}

Hub.dispatch(
'auth',
{
Expand All @@ -190,6 +194,22 @@ export class TokenOrchestrator implements AuthTokenOrchestrator {
throw err;
}

private isAuthenticationError(err: any): boolean {
// Only clear tokens for errors that definitively indicate the tokens are invalid
// and re-authentication is required. All other errors (service errors, rate limits, etc.)
// should preserve the tokens to allow for retry.
// See: https://github.com/aws-amplify/amplify-js/issues/14534
const authErrorNames = [
'NotAuthorizedException', // Refresh token is expired or invalid
'TokenRevokedException', // Token was revoked by admin
'UserNotFoundException', // User no longer exists
'PasswordResetRequiredException', // User must reset password
'UserNotConfirmedException', // User account is not confirmed
];

return authErrorNames.some(errorName => err.name?.startsWith(errorName));
}

async setTokens({ tokens }: { tokens: CognitoAuthTokens }) {
return this.getTokenStore().storeTokens(tokens);
}
Expand Down

AltStyle によって変換されたページ (->オリジナル) /