-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users signed out randomly #14033
Comments
Hi @ab-bee, thanks for reporting this issue we will start investigation. Also could you clarify:
by local storage, you mean the underlying AsyncStorage of your react-native app? |
Hi @ab-bee I couldn't reproduce this error in a react-native app that's running on Android. We recently fixed (v6.7.0) a bug that disturbed the above flows and causing the tokens to be cleared. If you upgraded aws-amplify from an older version, could you try to clean all build cache and try again? |
Thank you! |
Thank you for confirming @ab-bee. Were you able to verify the suggestion I gave above? |
Hi again, I have cleared out the |
Re-opening this as one of our testers just got logged out, except they didn't lose internet connection so that may have been a red herring. |
Hi @ab-bee could you describe the preconditions of the situation described in your last comment without losing network connection? Is this consistently reproducible and what are the reproducing steps? |
Hi @HuiSF, This is what we did:
Only one user (one of the Android users) had been logged out, so it's not consistently reproducible unfortunately :( |
Thanks for the follow @ab-bee
Do you know what exactly did they do to validate this? (for example actions triggered an Amplify library API call, and which API etc.) |
They opened the app from the background and that triggers an API call to our back-end with the user's access token as authorization. We call AWS Amplify's Also one of the other people just tried to open the app to check again and they were also logged out. Other details:
|
I think I just reproduced the issue with the Amplify logging on (
We found it strange that the log referred to a 'federated user', because we don't use federated identities in our app. There's then a log saying 'Succeed to get the user session' (with the session data included below), however, an API call that used the token failed with an 'unauthenticated' error, so it seems that the token is actually invalid. This error was thrown from the
I also just noticed that when the access token expiry period is set to 5 minutes, after 5 minutes it successfully updates to the next 5 minutes and I don't get logged out. It's only after an hour that I get logged out. The |
@HuiSF We have been experiencing this in our project as well. We are unable to reproduce it, but we get around 40-50 cases every day, which adds up quickly. We are using v6.6.5 of the package and the package defaults to async-storage for persisting tokens.
For the above package version configuration, we noticed that the values stored in async storage are either empty or incomplete (for eg, has idToken but no refreshToken, or has refreshToken and no idToken). I wonder if this is an issue with how aws-amplify handles the storage of tokens to async-storage, or is it an issue with how async-storage manages the stored values. |
I'm trying to reproduce the issue again and noticed that this time, while I got the log I then got a So I'm not sure if the |
Just an update, I logged the access token and refresh token that were being stored in async storage, and tried decoding them. edit: Just checked and I have the same invalid refresh token in one of our other apps where we're not experiencing the random logouts. So maybe that's a red herring 😭 In the app that does have the random signouts issue, we use AsyncStorage for a few other things, whereas in the other app (that doesn't have the issue) we only use it for AWS Amplify. Again, not sure if that's relevant but thought it was worth mentioning in case it's a clue. |
Hi @adithyavis if you are experience the same issue on Android, please upgrade Amplify library to the latest version. We fixed a known issue that refresh token may fail without retry since version |
Hi @ab-bee when you reverted back to v5, what version did you use? We fix the same issue described above with version
To clarify, refresh token is service encrypted by Cognito, you are unable to decode it by yourself. |
Interesting, I reverted back to the version we were previously on which was |
Jumping in here to not create a duplicate issue and validate my findings with others. In my team, we are also experiencing this and I believe I know why. The situation is similar to what others have experienced. It happens when the access token is expired and is being refreshed. In our app, we call tl;dr, Both Detailed Step by Step
Finding out that the tokens are expired and attempt to refresh the token, once the new tokens are available, the tokens are then stored in local storage. Now here comes the issue When storing the new tokens, the first thing done is all tokens are cleared <--- BUG: amplify-js/packages/auth/src/providers/cognito/tokenProvider/TokenStore.ts Lines 96 to 98 in 72c4364
Followed by amplify-js/packages/auth/src/providers/cognito/tokenProvider/TokenStore.ts Lines 100 to 104 in 72c4364
Now because this is an async call, it now allows other code to run -> the
Now when the tokens are trying to be retrieved, the Down the road would be an Because there is no refresh token, the following is called: amplify-js/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts Lines 171 to 175 in 72c4364
Which resets the correctly stored tokens -> Now the user is in a logged out state SolutionThere has been a pr submitted to address a different issue but is also applicable here, where basically tokens are not being completely reset when storing them, but instead only update/delete updated/removed values |
Hi @itsramiel thanks for the detail analysis - we are looking into this. |
@itsramiel - Really appreciate the deep dive and it gave us a great starting point into our investigation. We are evaluating the PR mentioned above but would like to also root cause this issue and I'm finding it difficult to reproduce and would appreciate it if we could get some additional info about exactly which error is causing this token clearance to be triggered. The issue I'm running into in my repro is related to this comment:
During this fetchAuthSession call - if the tokens are no longer in the store (due to the first call clearing them out and having not yet repopulated them yet) - it should not itself try to refresh tokens (and therefore not throw any sort of refresh errors) due to an early return: amplify-js/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts Lines 112 to 117 in da62f57
I'm wondering if you can help confirm that the amplify-js/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts Lines 171 to 175 in da62f57
Is indeed being called by attaching a Hub listener for the failure event associated below: amplify-js/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts Lines 177 to 185 in da62f57
And could you also tell me if you are ever calling Edit: FWIW, I do believe there could be a race condition in all this, I am just trying to lock down exactly where |
Hi @cshfang Yes you are right to think that this will early return: amplify-js/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts Lines 112 to 117 in da62f57
but actually the error doesnt occur here. The tokens here are being successfully fetched before the call to The problem is that by the time that the return values are returned, processed, and figured out that the accessToken is expired, then refreshToken then is fetched. And by that time, the tokens were cleared already. Yes the
Never. I let amplify decide when to do it.
Yes I am 100% confident. I reproduced it multiple times. You can't reproduce it every time because it all depends on the async nature of js and how sync function are called when async functions are awaited |
@itsramiel, appreciate the responses and details here. Upgrading this issue to a bug as we look into it further. |
@itsramiel Gotcha, I think your reply was super helpful and got me thinking that, crucially, the loadTokens function itself is peppered with I am now able to reproduce such a case reliably and will be working with the team on addressing the root cause. In the meantime, I can see how the proposed PR would also serve to mitigate this and we'll continue working to get that through. |
Is the local storage methods async because of react native async storage? I know web's is sync. Because in react native, the kinda new standard in react-native-mmkv which is sync. If rn was the only reason why storage was async then it can be changed into sync and all the peppered await would be removed |
@itsramiel we use async storage operations to support React Native's AsyncStorage, but we're still looking into the root cause of the race condition. We will update this as soon as we can and appreciate the patience. |
Yes, you intuited the reason our default storage is async - code sharing between RN and Web implementations. We are aware of mmkv as an alternative but there is a lot of due diligence that needs to be done by us still 😔 |
Before opening, please confirm:
JavaScript Framework
React Native
Amplify APIs
Authentication
Amplify Version
v6
Amplify Categories
auth
Backend
None
Environment information
Describe the bug
Users are signed out before their refresh token expires if they lose internet connection.
There are no tokens in local storage when they're signed out.
Using the latest AWS Amplify version (v6.9.0).
Expected behavior
Users remain signed in until their refresh token expires.
Reproduction steps
Log output
Manual configuration
Mobile Operating System
Android
The text was updated successfully, but these errors were encountered: