Closed mkolbusz closed 1 month ago
@mkolbusz, thank you for opening this issue. We're investigating this as a bug and will follow up with additional questions/updates as we have them.
@mkolbusz, thank you for also creating the sample repo. We've been able to reproduce this on our side, so can you make that sample repo private? Just want to make sure any sensitive information is kept private.
@cwomack done
@cwomack any update on this? When can I expect fix's merge?
@mkolbusz, we are awaiting internal approvals and testing. We will update this issue as soon as we can once the fix is approved and merged. Appreciate your patience!
Hi @mkolbusz The fix for this issue has released with aws-amplify@6.4.2
and @aws-amplify/adapter-nextjs@1.2.9
, please upgrade to these versions. Thanks!
@HuiSF @cwomack thanks for the fix. It's working well.
I have been struggling with this bug for a while. I note the fix clears cookies that have been set on a non-root path when the access token has expired, but the fix does NOT seem to work when the refresh token has expired. In that case, the non-root path cookies continue to be persisted to cookie storage.
Hi @OrmEmbaar thanks for following up.
When the access token and refresh token are both expired and the library attempts to refresh the tokens from the server side, it will fail. In this case, the underlying logic will clear all outdated tokens, so it should set Set-Cookie
headers in the response
object you passed into runWithAmplifyServerSideContext()
to remove token cookies from the client. To make this work, the'response` should be sent back to the client-side.
Amplify API calls would fail due to non-refreshable tokens; how are you handling the API errors? Does the error handling prevent the response
object that contains the Set-Cookie
headers from being sent back to the client?
@HuiSF
The invalid cookies are being set inside getServerSideProps
, so I'm not sure how the response object is being handled. I assume Next is dealing with it.
Also, how does this work for routes with slugs? I am seeing cookies set on /path
, but we don't use any Amplify SSR methods on /path
. However, we do use Amplify SSR methods on /path/[slug]
.
I think the issue may be that users are issued a corrupted cookie for /path
when they land on /path/[slug]
, then when they visit /path
there is no set-cookie
header to remove the corrupted cookies. In our case, that results in a tokenRefresh_failure
loop.
Hi @OrmEmbaar I think I understood. In this case the Amplify library couldn't predict the paths you may have, so the cookies couldn't be removed. I think it may require a custom solution in your page implementation to remove invalid cookies. You can do this via the response
object in getServerSideProps
. e.g.
// This is pseudo code
export const getServerSideProps: GetServerSideProps = async ({ req, res }) => {
// get the requested url, and use this to determine it's under a specific path
const url = req.url;
const isUnderAPath = ...; // e.g. /sub-path/dymaic-route is under `sub-path`
if (isUnderAPath) {
// collecting Amplify cookie names
const clearCookieNames = Object.keys(req.cookies)
.filter(cookieName => cookieName.startsWith('CognitoIdentityServiceProvider.'));
// insert Set-Cookie headers to remove these cookies into the response object
for (let cookieName of clearCookieNames) {
res.appendHeader('Set-Cookie', `${clearCookieNames}=;Expires=${new Date('1970').toUTCString()}`)
}
}
return { props: {} };
};
Could you give it a try?
@HuiSF I think our plan is to just ride it out. We're not getting many reports from users anymore and when we do we simply ask them to clear their cookies. We have upgraded to the latest version, so the number of users effected will diminish over time.
I have noticed that sometimes our auth cookies expire in a week whereas other times they expire in a year. A week is the length of our refresh token. If they all expired in a week the problem would solve itself rapidly. Do you know under what conditions they expire in a week vs a year?
Thanks for the follow up again @OrmEmbaar
Do you know under what conditions they expire in a week vs a year?
The expiration period of the access token, ID token and refresh token are configurable. This can be done with the following in the scope of Amplify:
amplify update auth
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
const backend = defineBackend({ auth, data, });
const { cfnUserPoolClient } = backend.auth.resources.cfnResources;
// Set token validities to a minimum to reduce canary test running time. cfnUserPoolClient.accessTokenValidity = 5; cfnUserPoolClient.idTokenValidity = 5; cfnUserPoolClient.refreshTokenValidity = 60; cfnUserPoolClient.tokenValidityUnits = { accessToken: 'minutes', idToken: 'minutes', refreshToken: 'minutes', };
More details about the token can be found [here](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html).
I'm closing this issue as the originally reported bug has been fixed. Please feel free to reach out if anything we can help with.
Before opening, please confirm:
JavaScript Framework
Next.js
Amplify APIs
Authentication
Amplify Version
v6
Amplify Categories
auth
Backend
None
Environment information
Describe the bug
After session tokens have expired and Tanstack Query is trying to refetch the data, the server multiplies the cookies and tokens as presented below:
It causes problems with logout sometimes and should not be multiple session tokens available.
Expected behavior
After session tokens have expired the new tokens appear and no more than one token type is stored on the client side, no duplication.
Reproduction steps
Code Snippet
Minimal reproduction repository: https://github.com/mkolbusz/nextjs-amplify-v6-issues
Log output
No response
aws-exports.js
No response
Manual configuration
Additional configuration
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response