fetchAuthSession triggering logout when offline

[dehli]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

Fix can be found here: #6061

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

CDK

Environment information

# Put output below this line

Describe the bug

If you call Auth.fetchAuthSession({ forceRefresh: true }) while offline, amplify will trigger the logout flow.

Expected behavior

I'd expect an error, but I wouldn't expect to be logged out.

Reproduction steps

1. Install latest version of AWS amplify with auth.
2. Sign in.
3. Go offline.
4. Call Auth.fetchAuthSession({ forceRefresh: true }) (I did this by adding the function to the window).

Code Snippet

// Put your code below this line.
window.TRIGGER_ERROR = () => Auth.fetchAuthSession({ forceRefresh: true });

Log output

// Put your logs below this line
{"channel":"auth","payload":{"event":"tokenRefresh_failure","data":{"error":{"name":"NetworkError","underlyingError":{}}}},"source":"Auth","patternInfo":[]}

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

Related to aws-amplify/amplify-js#13596 & aws-amplify/amplify-js#13993

The below chunk of code is NOT responsible for clearing the tokens. I confirmed that the signout workflow is triggered further downstream.

https://github.com/aws-amplify/amplify-js/blob/0f5091780046b9556b98300c29fb970a0358bd70/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts#L173-L176

If I return null (and prevent calling the subsequent Hub.dispatch) I am not logged out. Not sure what implications that will have so I didn't submit a PR.

        if (err.name !== AmplifyErrorCode.NetworkError) {
            // TODO(v6): Check errors on client
            this.clearTokens();
        } else {
            return null; // <-- Adding this "fixes" the issue
        }
        Hub.dispatch('auth', {
            event: 'tokenRefresh_failure',
            data: { error: err },
        }, 'Auth', AMPLIFY_SYMBOL);

[didemkkaslan]

Having the same issue, I see tokenRefresh_failure event being fired and tokens are removed from cookie storage

[ashika112]

@dehli Thanks for taking a look. I can confirm i see the same behavior as well. I will look closer into this today and report back.

[ashika112]

@dehli @didemkkaslan Can you confirm which version are you both on? There was a retry fix just recently, while i see the issue on 6.6.4 (I used this version since that was what @didemkkaslan issue mentioned and on another issue as well) when i try the most recent version 6.8.0 i dont see the logout behavior anymore. Can one of you confirm ?

[dehli]

Hey @ashika112, thanks for looking into it. I'm on 6.8.0 currently and seeing this behavior. I just removed my node_modules and reinstalled them to confirm that I was on that version. I was still able to trigger logout by calling fetchAuthSession({ forceRefresh: true }); while offline.

Here's my stacktrace:

[ashika112]

@dehli so this what i see, i do get network error but after that when network comes back on i am able to get credentials and token for the customer and not logged out.

[ashika112]

@dehli do you have any custom storage implementation? Would it be possible to put out a minimal code reproducing and share me the repo?

[dehli]

No custom storage. I'll work on putting together a minimal reproducing example though 👍

[ashika112]

@dehli , I was also testing in next js since some other issues was there. I will also try in react now at my end (which i notice is what you use at your end).

[ashika112]

@dehli Im able to reproduce this consistently in React and hence i have marked this as bug. We will keep this ticket posted for updates.

[dehli]

Awesome! Thanks so much 🎉

[didemkkaslan]

I've tested both versions

With aws-amplify: "6.6.4"
When I go offline and triggered the method @dehli provides window.TRIGGER_ERROR = () => Auth.fetchAuthSession({ forceRefresh: true });

Got the below error and tokens are deleted from my custom cookie storage

With aws-amplify: "6.8.0"

Tokens are not deleted from my custom cookie storage, I can still access session idtoken data

My custom cookie storage implementation:

const cookieOptions: OptionsType =
  process.env.NEXT_PUBLIC_ENV === 'msteams'
    ? {
        domain: 'tab.app.spiky.ai' as string,
        sameSite: 'none' as 'lax' | 'strict' | 'none',
        secure: true,
      }
    : {};

const keyValueStorage = createKeyValueStorageFromCookieStorageAdapter({
  get(name) {
    const value = getCookie(name, cookieOptions);
    return { name, value };
  },
  getAll() {
    const cookies = getCookies(cookieOptions);
    return Object.keys(cookies).map((name) => ({ name, value: cookies[name] }));
  },
  set(name, value) {
    const cookieAlreadyExists = getCookie(name, cookieOptions);

    if (cookieAlreadyExists) {
      console.log(
        'cookieAlreadyExists so Im deleting it and setting new one',
        cookieAlreadyExists,
      );
      deleteCookie(name, cookieOptions);
    }
    setCookie(name, value, cookieOptions);
  },
  delete(name) {
    deleteCookie(name, cookieOptions);
  },
});

I have one question tho: I shouldn't signout the user when a tokenrefresh_failure event fires right?

[ashika112]

@didemkkaslan Ideally you want log customer out when there is error except for Network error.

[ashika112]

@dehli Do you use Authenticator by any chance? taking another close look. I see this behavior only when using Authenticator component not when using the Auth APIs directly? If you do not use Authenticator, then I am going to need the reproducible code sample.

Sorry for the back and forth. As i investigate i see the behavior is scoped only to the component.

[dehli]

@ashika112 Yep, I am using the Authenticator component (although I am referencing Auth.fetchAuthSession directly). No need to apologize, happy to help how I can!

[ashika112]

@dehli I think this is scoped to Authenticator. Is it possible for you to verify the behavior without Authenticator? On my side, im going to reach out to amplify-ui repo.

[dehli]

It will take a bit to pull out the Authenticator with the way our project is setup. I did look through the amplify-js library for a bit this morning a bit and couldn't find anything that would cause the signout behavior so it being in a separate repo makes a lot of sense.

From my investigation this morning, it seemed to be related to the tokenRefresh_failure event that is sent over Hub. When searching over there for it, you can see a handful of references so I think it's safe to close this issue. https://github.com/search?q=repo%3Aaws-amplify%2Famplify-ui+tokenRefresh_failure&type=code

[ashika112]

@dehli I am working internally with the team right now, if this needs to be in their repo, i will re-route this ticket to them so they have context.

[dehli]

Sounds good! This seems to be what's causing the behavior:

amplify-ui/packages/ui/src/helpers/authenticator/defaultAuthHubHandler.ts

Lines 32 to 36 in 2e3a051

	case 'tokenRefresh_failure': {
	if (event === 'signedOut' && isFunction(onSignOut)) {
	onSignOut();
	}
	send('SIGN_OUT');