fix(@aws-amplify/core): Support clock skew

[ericclemmons]

Issue #, if available: Fixes #3567, fixes #4556 with help from @thiagohirata in #4251

Description of changes:

When reviewing @thiagohirata's PR (#4251) with the team, we learned that the AWS export will be removed in the near future.

So that Signer.ts honors clock skew, this PR introduces DateUtils for setting clock skew by embedding getDate() from aws-sdk

Users will be able to adjust this value in a backwards-compatible way via:

import { DateUtils } from "@aws-amplify/core"

DateUtils.setClockOffset(CLOCK_OFFSET);

Internally, Signer.ts replaces calls to new Date() with DateUtils.getDateWithClockOffset().

Type annotations:

This creates an opening for Amplify to automatically adjust clock-skew on users' behalf in the future.

Closes #4251

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[codecov]

Codecov Report

Merging #4844 into master will decrease coverage by <.01%.
The diff coverage is 80%.

@@            Coverage Diff             @@
##           master    #4844      +/-   ##
==========================================
- Coverage   76.28%   76.28%   -0.01%     
==========================================
  Files         174      175       +1     
  Lines        9644     9652       +8     
  Branches     1977     1978       +1     
==========================================
+ Hits         7357     7363       +6     
- Misses       2142     2144       +2     
  Partials      145      145

Impacted Files	Coverage Δ
packages/core/src/Util/index.ts	100% <100%> (ø)	⬆️
packages/core/src/Signer.ts	93.1% <100%> (+0.05%)	⬆️
packages/core/src/Util/DateUtils.ts	66.66% <66.66%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1ed9f0a...501ffa5. Read the comment docs.

[Amplifiyer]

LGTM 👍

[houmark]

Thanks @ericclemmons! This looks promising.

Users will be able to adjust this value in a backwards-compatible way via:

import { DateUtils } from "amplify"

DateUtils.setClockOffset(CLOCK_OFFSET);

Can you confirm that:
import { DateUtils } from "amplify"

should actually be:
import { DateUtils } from "@aws-amplify"

It'd be great with an example on how to use this in a normal use case for example in a React component.

This creates an opening for Amplify to automatically adjust clock-skew on users' behalf in the future.

Is there a particular reason for not making it default now? For developers using Amplify, realizing that this is in fact a problem affecting their app/platform, that typically starts with getting random user reports with 403 errors, to realizing the exact reason for the error seems long and painful. This should at least be documented.

[ericclemmons]

@houmark Whoops, I mistyped the sample above. It now reads:

import { DateUtils } from "@aws-amplify/core"

You're exactly right: now that we have the API in place, we'll be working on handling this automatically. The level of effort is higher than this PR, so we wanted to get it in customers' hands sooner.

I shared my notes on how I've been reproducing the clock skew errors here:

#2014 (comment)

The next steps are to get API (and all categories) to handle this automatically.

I'll report back if I find new ways of leveraging this API on your own. Until then, a couple customers noted their solutions here:

• fix(@aws-amplify/core): AWS.config.systemClockOffset for signing requ… #4251 (comment)
• fix(@aws-amplify/core): AWS.config.systemClockOffset for signing requ… #4251 (comment)

Thanks @houmark for staying on top of this & working with me on it!

[houmark]

Thanks @ericclemmons!

Sorry for my ignorance, but I'm still a bit confused about how to use this particular fix in for example a React component.

I have a component that is doing an unAuth'ed GraphQL query, so it's using authMode AWS_IAM where this is a problem. Will calling DateUtils.setClockOffset(CLOCK_OFFSET); at the start of the component correct the clock skew, so once the API.graphql runs, it will work even for users with clock being off?

Do you know when you'll be releasing aws-amplify again?

[dorsegal]

@houmark I have just tested amplify 2.2.4 with DateUtils.setClockOffset(CLOCK_OFFSET) at the start of our application and it looks good.
You can test it yourself by changing your client clock and make an API call

[ericclemmons]

@dorsegal What method are you using for computing the CLOCK_OFFSET? We have some work to do to automate this within our categories, but it'd be great to keep a list of how customers are handling this until then.

[dorsegal]

@dorsegal What method are you using for computing the CLOCK_OFFSET? We have some work to do to automate this within our categories, but it'd be great to keep a list of how customers are handling this until then.

#4251 (comment)

[ericclemmons]

@dorsegal Ah, thanks! We were testing out that method, but have to dig more into internals to support the "logged out" scenario: where a user can't even sign in due to clock skew.

[Jun711]

@ericclemmons @dorsegal @houmark

To fix clock skew for non-logged in users using DateUtils.setClockOffset, we can do this. It worked for both logged-in and non-logged-in users.

import Auth from '@aws-amplify/auth';
import { DateUtils } from '@aws-amplify/core';

Auth.currentUserCredentials()
.then(cred => {
  console.log('amplify currentUserCredentials ', cred);
  console.log('amplify currentUserCredentials ', cred['cognito']);
  console.log('amplify currentUserCredentials ', cred['cognito']['config']['systemClockOffset']);
  DateUtils.setClockOffset(cred['cognito']['config']['systemClockOffset']);
})

In aws-sdk.js, there are functions to handle clockSkew: getSkewCorrectedDate, applyClockOffset and isClockSkewed, why doesn't Amplify use / adopt aws-sdk.js available methods to fix clock skew?

Automate Clock Skew Fix Attempt

Furthermore, In aws-sdk.js, there is CognitoIdentityCredentials class that takes ConfigurationOptions as argument. There is this option correctClockSkew in ConfigurationOptions class.

Using DateUtils, I tested locally by changing js files(Credentials.js in @aws-amplify/auth) in node_modules and it seemed to work.
Changes can be seen here -> Jun711@421a040

credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: identityPoolId,
  IdentityId: identityId ? identityId : undefined,
}, {
  region: region,
  correctClockSkew: true
});

How can I link amplify library locally and test with my changes?
I followed the steps listed here https://github.com/aws-amplify/amplify-js/wiki/Local-Development#other-tips:

yarn build
yarn link-all

During yarn link-all in aws-amplify folder, there is this error No registered package found called for all the packages.

yarn link-all                           aws-amplify git:(clockdrift) 12:37pm
yarn run v1.19.2
$ yarn unlink-all && lerna exec --parallel yarn link
$ lerna exec --parallel --bail=false yarn unlink
lerna notice cli v3.20.2
lerna info versioning independent
lerna info Executing command in 19 packages: "yarn unlink"
@aws-amplify/analytics: error No registered package found called "@aws-amplify/analytics".
@aws-amplify/analytics: info Visit https://yarnpkg.com/en/docs/cli/unlink for documentation about this command.
@aws-amplify/api: error No registered package found called "@aws-amplify/api".
...
lerna ERR! Received non-zero exit code 1 during execution
lerna success exec Executed command in 19 packages: "yarn unlink"
error Command failed with exit code 1.

in my project folder, I ran yarn link aws-amplify @aws-amplify/api @aws-amplify/auth @aws-amplify/pubsub and got this output

yarn link v1.19.2
error No registered package found called "aws-amplify".
info Visit https://yarnpkg.com/en/docs/cli/link for documentation about this command.

[Jun711]

@ericclemmons
What is Amplify recommended way to adjust clockOffset for not logged in users?

[KevinToala]

I also have the same problem.
How can I get CLOCK_OFFSET for users who have not logged? I use cognito hosted ui with amplify to login with facebook and google.

Auth.currentUserCredentials() can't return cognito.config.systemClockOffset, return accessKeyId, sessionToken, secretAccessKey, identityId, authenticated properties :/

[github-actions]

This pull request has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.