amplify-js icon indicating copy to clipboard operation
amplify-js copied to clipboard
verified publisher icon aws-amplify

amazon-cognito-identity-js - Optional time buffer for CognitoUserSession.isValid

Open jstarmx opened this issue 2 years ago • 1 comments

Is this related to a new or existing framework?

No response

Is this related to a new or existing API?

Authentication

Is this related to another service?

No response

Describe the feature you'd like to request

This function detects if a session is valid - if not, it refreshes the ID and access tokens. https://github.com/aws-amplify/amplify-js/blob/main/packages/amazon-cognito-identity-js/src/CognitoUserSession.js#L73

If you are using these tokens to authenticate polling API requests, and especially if the expiry times of the tokens are short, on occasion the token will expire between the point that it is considered 'valid' and the point it is evaluated on the back-end.

This is a request to add an optional 'buffer' period, so that the tokens can be refreshed if they are within a certain time of expiry, e.g. 15 seconds, to prevent this issue from occurring.

Describe the solution you'd like

A way to define the buffer period, if not defined then existing behaviour is maintained.

Describe alternatives you've considered

Building an implementation outside of the library, but the library already takes care of things like debouncing multiple requests, so building it in would be a lot more efficient.

Additional context

Implementation could look something like

isValid() {
	const now = Math.floor(new Date() / 1000);
	const adjusted = now - this.clockDrift;

	const accessTokenExpiration = this.accessToken.getExpiration() - this.expiryBuffer;
	const idTokenExpiration = this.idToken.getExpiration() - this.expiryBuffer;
	
	return (
		adjusted < accessTokenExpiration &&
		adjusted < idTokenExpiration
	);
}

this.expiryBuffer would be set on initialisation, passed from config otherwise defaulting to 0.

Is this something that you'd be interested in working on?

  • [X] 👋 I may be able to implement this feature request
  • [ ] ⚠️ This feature might incur a breaking change

jstarmx avatar Feb 09 '23 12:02 jstarmx

Marked as a feature request.

haverchuck avatar Jun 24 '24 18:06 haverchuck

We're facing the same issue in @aws-amplify/auth. The token is still valid when it's validated on the client, but 0.3 seconds later, when the server checks, it's expired.

oxc avatar Dec 09 '24 14:12 oxc

The relevant code for @aws-amplify/auth is probably here https://github.com/aws-amplify/amplify-js/blob/72c43643065da09908f83968996cea4243fdadda/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts#L118-L138 and here https://github.com/aws-amplify/amplify-js/blob/72c43643065da09908f83968996cea4243fdadda/packages/core/src/singleton/Auth/index.ts#L12-L22

oxc avatar Dec 09 '24 14:12 oxc

Hey @oxc, thanks for chiming in here to add more visibility. We'll investigate our options here internally and follow up.

jjarvisp avatar Dec 09 '24 16:12 jjarvisp

Just for the record, please note that we are not using a custom expiration time, but the standard time of 60 minutes. However, we have a polling task that runs every minute or so, and that seems to often enough hit at exactly 3600 seconds later. The tokens on the server side are usually expired by 0.1-0.3 seconds or so.

oxc avatar Dec 10 '24 09:12 oxc

Thanks for the additional details @oxc. Your experience is closely related to #13710 and you will likely find some additional context there. We are actively working to address this and should have a release formalized in the near future.

jjarvisp avatar Dec 10 '24 19:12 jjarvisp