Auth - Offline Session Management in React Native (expired tokens while offline)

[L-U-C-K-Y]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React Native

Amplify APIs

Authentication

Amplify Categories

auth

Environment information

``` System: OS: macOS 12.0.1 CPU: (10) arm64 Apple M1 Max Memory: 74.09 MB / 32.00 GB Shell: 5.8 - /bin/zsh Binaries: Node: 18.7.0 - /opt/homebrew/bin/node Yarn: 1.22.19 - /opt/homebrew/bin/yarn npm: 8.15.0 - /opt/homebrew/bin/npm Watchman: 2022.08.15.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 105.0.5195.125 Firefox: 105.0.1 Safari: 15.1 npmPackages: @novu/node: ^0.8.0 => 0.8.0 amqp-connection-manager: ^3.8.1 => 3.8.1 amqplib: ^0.8.0 => 0.8.0 amqplib-tutorials: 0.0.1 npmGlobalPackages: @aws-amplify/cli: 9.0.0 @nestjs/cli: 8.2.6 aws-cdk: 2.43.0 eas-cli: 0.54.1 envinfo: 7.8.1 expo-cli: 5.4.6 n: 8.0.0 netlify-cli: 8.0.15 npm: 8.15.0 nx: 13.4.5 plop: 3.0.5 react-devtools: 4.24.3 ts-node: 10.8.1 typeorm: 0.3.6 typescript: 4.5.2 vercel: 28.2.2 ```

Describe the bug

Hi all

We are experiencing session issues with our mobile apps, when our users are offline and the id/access token has expired.

id + access token have expiration of 60min and refresh token of 90 days

We would be interested how others are handling this situation:

• When a user is offline / has no internet connection and resumes the app after the id + access token have expired, the session is dropped and the user is logged out
• How can we avoid this behavior as it is a big pain point?

Would appreciate any feedback

Expected behavior

While user is offline and id + access tokens have expired:

const session = Auth.currentSession()

Reproduction steps

1. Go into airplaine mode
2. Close app
3. Wait until tokens have expired
4. Open app

Code Snippet

const session = Auth.currentSession()

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[tannerabread]

Hi :wave: @L-U-C-K-Y I am attempting to reproduce this and had a few questions:

I only see the @aws-amplify/cli and aws-cdk packages in your environment info, how are you using Amplify within the app itself? Can you give a snapshot of your current package.json

Does this happen only if the app is in a quit state?

[tannerabread]

It would also help to see your aws-exports

[tannerabread]

Hi 👋 Closing this as we have not heard back from you. The most common solution I've seen to this is to set the id/access token to a higher expiration time (max 1 day), which can be done in the Cognito console in the App Client settings.

If you are still experiencing this issue and in need of assistance, please feel free to comment and provide us with any information previously requested by our team members so we can re-open this issue and be better able to assist you.

Thank you!

[euvs]

Hi @tannerabread I'm not the OP but we're experiencing exactly the same problem (mobile app + react native + app stays offline for a long period of time).

We are currently have Coginito service setup in AWS, and using aws-amplify@4.3.38 library just for authentication (via hosted UI).

When the app launches we check user session, something like this:

import { Auth } from 'aws-amplify';

const getTokensAndUserOnAppStart = async () => {

   // refresh tokens
   const data = await Auth.currentSession();
   // get user details 
   const user = await Auth.currentAuthenticatedUser();
}

The suggestion of increasing the expiration time to 1 day does not solve the problem. Our app needs to work offline. Also, the app may not be in use for a few days/weeks in a row. When the app is launched and the token is expired, the app thinks that user is not authenticated for a brief moment.

It becomes even more problematic if the phone happens to be offline/no internet. The amplify library is not able to reach Cognito service and the session is dropped. When the app is in this state, there is no way (?) to check whether the user was logged in into the app or not, or who the user was. Both currentSession and currentAuthenticatedUser methods are raising exceptions.

AFAIK amplify stores some information internally in the local storage, so it is technically possible to determine that the user was logged in or not.

Any advice on how to handle offline mode in react native apps?

[tannerabread]

Hi @euvs Sorry for the delayed response, it sounds like your needs are to verify if a user was previously logged in through the information stored in the cookies. You are correct that information does persist but the currentSession and currentAuthenticatedUser methods are asynchronous and make API calls to Cognito itself.

I believe Auth.currentAuthenticatedUser({ bypassCache: false }) should work but that wouldn't solve your issue if the user was offline for an extended period of time. Other than that I don't think there is currently a way to check those cookies from Amplify.

Can you confirm that I captured your concerns correctly? And maybe anything you would suggest to handle this?

[Morathil]

Hi @tannerabread We have the exact same requirements as @euvs (using amplify.js) and for us, you summarized it correctly. We already set the id/access token to the max of 1 day which is in our case unfortunately not sufficient.

I'm struggling with how to achieve offline usage of the app for multiple days and I would appreciate any help/ideas on that topic.

[aramiscubillo]

Hi @Morathil did you find any solutions for the staying offline for more that 1 day? I'm also facing the same issue.

[Morathil]

Hi @aramiscubillo Unfortunately not yet.

[itsramiel]

Hey @tannerabread. We are experiencing this in our react native app. The issue precisely is that if a user opens the app while offline and his access token has expired, then Auth.currentAuthenticatedUser() throws The user is not authenticated. If the user then came online Auth.currentAuthenticatedUser() will return correctly.

This is an issue because users will think they are logged out but in reality they are not. All they need to do is turn on their wifi and then they are logged in again.

You can reproduce it by creating a simple react native app with aws amplify setup and log in with a user. You can then turn off wifi, change time from settings to after the period of the access token, and then try to call Auth.currentAuthenticatedUser() and you will see The user is not authenticated being thrown. In fact I do not think you need a react native app specifically, but that's our use case.

There is a merged fix in amplify-flutter to handle when a user is offline. Can we have something similar here?

[tannerabread]

Hi, excuse the delay on this issue. I have just reproduced it with the steps provided and will bring it up with the rest of the team soon to see if this is something we will fix on our side.

[itsramiel]

Hi, excuse the delay on this issue. I have just reproduced it with the steps provided and will bring it up with the rest of the team soon to see if this is something we will fix on our side.

Thank you and looking forward for a reply 🙏🏻

[tannerabread]

Hi @itsramiel this is something I think we want to/should support so we have marked this as a bug and the team is going to look into this further. I don't currently have a timeline on the fix but any updates should be posted here.

Thank you for bringing this to our attention

[itsramiel]

Thank you @tannerabread

[joaovitorzv]

hi i'm also being affected by this issue, any updates on this yet?

[makirby]

Would be good to see some support for this. At least more descriptive errors so we can handle offline refresh case.

[aleksnied]

Running into the same problems around offline and low connectivity app usage (Amplify returning {} for auth tokens, and doesn't recover once connection is restored).