cwomack
commented
3 months ago @mkolbusz, thank you for opening this issue. We're investigating this as a bug and will follow up with additional questions/updates as we have them.
Closed mkolbusz closed 1 month ago
cwomack
commented
3 months ago @mkolbusz, thank you for opening this issue. We're investigating this as a bug and will follow up with additional questions/updates as we have them.
cwomack
commented
3 months ago @mkolbusz, thank you for also creating the sample repo. We've been able to reproduce this on our side, so can you make that sample repo private? Just want to make sure any sensitive information is kept private.
mkolbusz
commented
3 months ago @cwomack done
mkolbusz
commented
3 months ago @cwomack any update on this? When can I expect fix's merge?
cwomack
commented
2 months ago @mkolbusz, we are awaiting internal approvals and testing. We will update this issue as soon as we can once the fix is approved and merged. Appreciate your patience!
HuiSF
commented
2 months ago Hi @mkolbusz The fix for this issue has released with aws-amplify@6.4.2 and @aws-amplify/adapter-nextjs@1.2.9, please upgrade to these versions. Thanks!
mkolbusz
commented
2 months ago @HuiSF @cwomack thanks for the fix. It's working well.
OrmEmbaar
commented
1 month ago I have been struggling with this bug for a while. I note the fix clears cookies that have been set on a non-root path when the access token has expired, but the fix does NOT seem to work when the refresh token has expired. In that case, the non-root path cookies continue to be persisted to cookie storage.
HuiSF
commented
1 month ago Hi @OrmEmbaar thanks for following up.
When the access token and refresh token are both expired and the library attempts to refresh the tokens from the server side, it will fail. In this case, the underlying logic will clear all outdated tokens, so it should set Set-Cookie headers in the response object you passed into runWithAmplifyServerSideContext() to remove token cookies from the client. To make this work, the'response` should be sent back to the client-side.
Amplify API calls would fail due to non-refreshable tokens; how are you handling the API errors? Does the error handling prevent the response object that contains the Set-Cookie headers from being sent back to the client?
OrmEmbaar
commented
1 month ago @HuiSF
The invalid cookies are being set inside getServerSideProps, so I'm not sure how the response object is being handled. I assume Next is dealing with it.
Also, how does this work for routes with slugs? I am seeing cookies set on /path, but we don't use any Amplify SSR methods on /path. However, we do use Amplify SSR methods on /path/[slug].
I think the issue may be that users are issued a corrupted cookie for /path when they land on /path/[slug], then when they visit /path there is no set-cookie header to remove the corrupted cookies. In our case, that results in a tokenRefresh_failure loop.
HuiSF
commented
1 month ago Hi @OrmEmbaar I think I understood. In this case the Amplify library couldn't predict the paths you may have, so the cookies couldn't be removed. I think it may require a custom solution in your page implementation to remove invalid cookies. You can do this via the response object in getServerSideProps. e.g.
// This is pseudo code
export const getServerSideProps: GetServerSideProps = async ({ req, res }) => {
// get the requested url, and use this to determine it's under a specific path
const url = req.url;
const isUnderAPath = ...; // e.g. /sub-path/dymaic-route is under `sub-path`
if (isUnderAPath) {
// collecting Amplify cookie names
const clearCookieNames = Object.keys(req.cookies)
.filter(cookieName => cookieName.startsWith('CognitoIdentityServiceProvider.'));
// insert Set-Cookie headers to remove these cookies into the response object
for (let cookieName of clearCookieNames) {
res.appendHeader('Set-Cookie', `${clearCookieNames}=;Expires=${new Date('1970').toUTCString()}`)
}
}
return { props: {} };
};Could you give it a try?
OrmEmbaar
commented
1 month ago @HuiSF I think our plan is to just ride it out. We're not getting many reports from users anymore and when we do we simply ask them to clear their cookies. We have upgraded to the latest version, so the number of users effected will diminish over time.
I have noticed that sometimes our auth cookies expire in a week whereas other times they expire in a year. A week is the length of our refresh token. If they all expired in a week the problem would solve itself rapidly. Do you know under what conditions they expire in a week vs a year?
HuiSF
commented
1 month ago Thanks for the follow up again @OrmEmbaar
Do you know under what conditions they expire in a week vs a year?
The expiration period of the access token, ID token and refresh token are configurable. This can be done with the following in the scope of Amplify:
amplify update auth
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';const backend = defineBackend({ auth, data, });
const { cfnUserPoolClient } = backend.auth.resources.cfnResources;
// Set token validities to a minimum to reduce canary test running time. cfnUserPoolClient.accessTokenValidity = 5; cfnUserPoolClient.idTokenValidity = 5; cfnUserPoolClient.refreshTokenValidity = 60; cfnUserPoolClient.tokenValidityUnits = { accessToken: 'minutes', idToken: 'minutes', refreshToken: 'minutes', };
More details about the token can be found [here](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html).I'm closing this issue as the originally reported bug has been fixed. Please feel free to reach out if anything we can help with.
Before opening, please confirm:
JavaScript Framework
Next.js
Amplify APIs
Authentication
Amplify Version
v6
Amplify Categories
auth
Backend
None
Environment information
Describe the bug
After session tokens have expired and Tanstack Query is trying to refetch the data, the server multiplies the cookies and tokens as presented below:
It causes problems with logout sometimes and should not be multiple session tokens available.
Expected behavior
After session tokens have expired the new tokens appear and no more than one token type is stored on the client side, no duplication.
Reproduction steps
Code Snippet
Minimal reproduction repository: https://github.com/mkolbusz/nextjs-amplify-v6-issues
Log output
No response
aws-exports.js
No response
Manual configuration
Additional configuration
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response