search

amazon-archives / amazon-cognito-js

Amazon Cognito Sync Manager for JavaScript
http://aws.amazon.com/cognito
Apache License 2.0
202 stars 83 forks source link

no error when jwt/session is expired #37

Closed jotto closed 7 years ago

jotto commented 7 years ago

If the jwt is not refreshed (and becomes expired), and a dataset is synchronized, the onSuccess callback is called. The logs look like this:

syncing myTestDataset
console.js:26 Starting synchronization... (retries: 3)
console.js:26 Checking for locally merged datasets... found 0.
console.js:26 Detecting last sync count... 43
console.js:26 Fetching remote updates... found 0.
console.js:26 Checking for remote merged datasets... found 0.
console.js:26 Checking for remote updates since last sync count... found 0.
console.js:26 Nothing updated remotely. Pushing local changes to remote.
console.js:26 Sync successful.

Is this expected behavior? I would have expected onFailure to be called, otherwise how would we know whether an empty local dataset is truly empty or not? (we'd get onSuccess, and all get's would return undefined.)

If it is expected behavior, what is a best practice?

By the way, I actually discovered this problem through an official email from AWS:

Recently, we saw that most of your calls to federate Cognito user Pool users into AWS with federated identities are failing because your code is sending expired Cognito User Pools ID Token to the federated identity service.

(as opposed to an error being thrown in the amazon-cognito-js code)

chetanme commented 7 years ago

The error we reported to you for expired tokens was for the User Pools tokens, they do not have a direct correlation with dataset synchronization. If your user pools token is expired, your client never gets temporary AWS credentials from federated identity service and hence never calls Cognito Sync.

Can you paste some code here, so we can see what exactly might be wrong?

jotto commented 7 years ago

I'm surprised to hear anything is wrong/broken/erroring beyond the silent failure from the flow mentioned in original post because I'm not seeing any errors or broken functionality.

Since we may be forking the original topic, I'd ask any of theamazon-cognito-js lib developers to still look at the original post.

@chetanme I'm not currently paying the monthly fee for AWS support so that means I have no way of contacting you through the official channels (despite you being able to contact me). I also have no visibility into whether something is actually wrong (as mentioned in the first paragraph) so I'm "in the dark" here. Please feel free to contact me directly either via the email for my account in AWS's system or jonathan.otto@gmail.com

jotto commented 7 years ago

I'd ask any of theamazon-cognito-js lib developers to still look at the original post.

I actually can't reproduce this now. When I save a JWT and then use it an hour later, I am indeed getting an error via the onFailure

A couple days ago I did get into a state where the onSuccess was firing, despite an expired JWT but now I can't reproduce it.

I'm tentatively calling this situation resolved since 1) I'm getting errors on onFailure callback, and 2) I wasn't previously refreshing tokens

unless, after today, the AWS team sends me another email that I'm still failing requests.