aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.44k stars 2.13k forks source link

Several users are unable to log in due to the error "Unable to get user session following successful sign-in." #13940

Closed k1350 closed 3 weeks ago

k1350 commented 1 month ago

Before opening, please confirm:

JavaScript Framework

Next.js

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

CDK

Environment information

``` System: OS: macOS 14.6.1 CPU: (10) arm64 Apple M2 Pro Memory: 572.09 MB / 32.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.14.0 - ~/.nodenv/versions/20.14.0/bin/node npm: 10.7.0 - ~/.nodenv/versions/20.14.0/bin/npm pnpm: 9.4.0 - ~/.nodenv/versions/20.14.0/bin/pnpm Browsers: Chrome: 129.0.6668.101 Safari: 17.6 Safari Technology Preview: 18.0 npmPackages: @aws-amplify/adapter-nextjs: ^1.2.22 => 1.2.22 @dnd-kit/core: ^6.1.0 => 6.1.0 @dnd-kit/sortable: ^8.0.0 => 8.0.0 @dnd-kit/utilities: ^3.2.2 => 3.2.2 @floating-ui/react: ^0.26.25 => 0.26.25 @formatjs/intl-localematcher: ^0.5.5 => 0.5.5 @hookform/resolvers: ^3.9.0 => 3.9.0 @radix-ui/react-dialog: ^1.1.2 => 1.1.2 @radix-ui/react-toast: ^1.2.2 => 1.2.2 @radix-ui/react-visually-hidden: ^1.1.0 => 1.1.0 @react-hookz/web: ^24.0.4 => 24.0.4 @storybook/react: ^8.3.5 => 8.3.5 @storybook/test: ^8.3.5 => 8.3.5 @t3-oss/env-core: ^0.11.1 => 0.11.1 @tailwindcss/container-queries: ^0.1.1 => 0.1.1 @tiptap/core: 2.8.0 => 2.8.0 @tiptap/extension-bold: 2.8.0 => 2.8.0 @tiptap/extension-bubble-menu: 2.8.0 => 2.8.0 @tiptap/extension-document: 2.8.0 => 2.8.0 @tiptap/extension-dropcursor: 2.8.0 => 2.8.0 @tiptap/extension-floating-menu: 2.8.0 => 2.8.0 @tiptap/extension-gapcursor: 2.8.0 => 2.8.0 @tiptap/extension-hard-break: 2.8.0 => 2.8.0 @tiptap/extension-heading: 2.8.0 => 2.8.0 @tiptap/extension-history: 2.8.0 => 2.8.0 @tiptap/extension-image: 2.8.0 => 2.8.0 @tiptap/extension-link: 2.8.0 => 2.8.0 @tiptap/extension-paragraph: 2.8.0 => 2.8.0 @tiptap/extension-placeholder: 2.8.0 => 2.8.0 @tiptap/extension-text: 2.8.0 => 2.8.0 @tiptap/extension-youtube: 2.8.0 => 2.8.0 @tiptap/pm: 2.8.0 => 2.8.0 @tiptap/react: 2.8.0 => 2.8.0 @types/crypto-js: ^4.2.2 => 4.2.2 @types/lodash: ^4.17.10 => 4.17.10 @types/negotiator: ^0.6.3 => 0.6.3 @types/react: ^18.3.11 => 18.3.11 @types/react-dom: ^18.3.1 => 18.3.1 @urql/core: ^5.0.6 => 5.0.6 @urql/devtools: ^2.0.3 => 2.0.3 @urql/exchange-auth: ^2.2.0 => 2.2.0 autolinker: ^4.0.0 => 4.0.0 autoprefixer: ^10.4.20 => 10.4.20 aws-amplify: ^6.6.5 => 6.6.5 classnames: ^2.5.1 => 2.5.1 crypto-js: ^4.2.0 => 4.2.0 dayjs: ^1.11.13 => 1.11.13 eslint-plugin-n: ^17.11.1 => 17.11.1 eslint-plugin-storybook: ^0.9.0 => 0.9.0 eslint-plugin-tailwindcss: ^3.17.5 => 3.17.5 firebase: ^10.11.1 => 10.11.1 graphql: ^16.9.0 => 16.9.0 graphql-tag: ^2.12.6 => 2.12.6 isbot: ^5.1.17 => 5.1.17 lodash: ^4.17.21 => 4.17.21 mockdate: ^3.0.5 => 3.0.5 negotiator: ^0.6.3 => 0.6.3 next: 14.2.13 => 14.2.13 next-intl: ^3.21.1 => 3.21.1 nuqs: ^1.20.0 => 1.20.0 p-retry: ^6.2.0 => 6.2.0 postcss: ^8.4.47 => 8.4.47 prettier-plugin-tailwindcss: ^0.6.8 => 0.6.8 react: ^18.3.1 => 18.3.1 react-dom: ^18.3.1 => 18.3.1 react-hook-form: ^7.53.0 => 7.53.0 react-infinite-scroll-hook: ^5.0.1 => 5.0.1 rimraf: ^6.0.1 => 6.0.1 swr: ^2.2.5 => 2.2.5 tailwindcss: ^3.4.13 => 3.4.13 tailwindcss-animate: ^1.0.7 => 1.0.7 typescript: ^5.6.3 => 5.6.3 vitest: ^2.1.3 => 2.1.3 wonka: ^6.3.4 => 6.3.4 zod: ^3.23.8 => 3.23.8 npmGlobalPackages: corepack: 0.28.1 firebase-tools: 13.11.4 npm: 10.7.0 vercel: 37.3.0 ```

Describe the bug

Most users are able to log in without any issues, but some users have reported that they are encountering the following error when attempting to log in:

UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in.

After interviewing an affected user, we found that he can log in using Firefox, but he is unable to log in with Google Chrome, no matter how many times he trys. Clearing caches and cookies did not resolve the issue.

We have investigated this thoroughly but have been unable to reproduce the error, and the cause remains unclear. We also reviewed previously raised issues but did not find any information that could help resolve the problem.

What kind of situations can trigger this error? We would like to know how to resolve it for users who are encountering this error consistently.

Thank you.

Expected behavior

The authentication process should successfully complete without any errors.

Reproduction steps

As the issue has not been reproducible, we're unable to provide specific steps that consistently trigger the error. Below are the general steps a user would follow.

  1. Navigate to the sign-in page of our application.
  2. Enter valid username and password.
  3. Click the "Log in" button.

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

import type { ResourcesConfig } from 'aws-amplify';
import { Amplify } from 'aws-amplify';
import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';
import { CookieStorage } from 'aws-amplify/utils';

const amplifyConfig: ResourcesConfig = {
  Auth: {
    Cognito: {
      userPoolId: "xxx",
      userPoolClientId: "xxx",
      identityPoolId: "xxx",
      allowGuestAccess: true,
    },
  },
};

Amplify.configure(amplifyConfig, { ssr: true });

cognitoUserPoolsTokenProvider.setKeyValueStorage(
  new CookieStorage({
    domain: "xxx",
    secure: true,
    path: '/',
    sameSite: 'lax',
    expires: 365,
  }),
);

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

cwomack commented 1 month ago

@k1350, thanks for opening this issue and sorry to hearing your users are experiencing this.

k1350 commented 1 month ago

@cwomack Thank you for your reply.

Can you share any detailed logs or network requests for when this happens.

The logs and network requests have not been captured.

Do you know any details around the version of Chrome these users are on?

OS: Windows 10 Browser: Chrome 129 (129.0.0.0) Full User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36

Is your domain value within the CookieStorage a subdomain or something different?

If we set the domain of our application as example.com, the domain for CookieStorage is also example.com. We are sharing cookies with another application running under the domain sub.example.com.

For the users you interviewed... do you know if they are disabling cookie storage in Chrome specifically?

I have been informed that cookies are enabled.


This is additional information regarding the issue.

In our application, we added a process that signout and redirects them to the top page when a NotAuthorizedException or UserNotFoundException occurs during the execution of fetchAuthSession yesterday. As a result, the user encountering this issue have reported that the top page reloads repeatedly.

So I guess it comes down to this.

Sign-in is failing with the error: UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in.

However, on the other hand, a NotAuthorizedException or UserNotFoundException is occurring during the execution of fetchAuthSession, and it seems that the sign-out process is not working correctly in this case.

The NotAuthorizedException or UserNotFoundException errors we have observed is:

We know that NotAuthorizedException: Token is inactive occurs when a user is deactivated. However, we have not been able to reproduce the othe errors, and it is unclear under what circumstances they occur.

k1350 commented 1 month ago

@cwomack Additional information: A user who encountered the problem reported that sign-in worked properly in Chrome's Incognito Mode. However, the issue still persists when not using Incognito Mode.

cwomack commented 1 month ago

@k1350, appreciate the follow up. After reviewing this further, I think we'll need more information from the users that are experiencing or more logs if you can produce them whenever this happens with your app.

When using SSR, "sharing cookies with another application running under the domain sub.example.com" will not work out of the box. However, the fact that this is no issue for your Firefox and Chrome Incognito users may be a sign that the users experiencing this have some type of extension or something running on the client that's impacting the CookieStorage you've implemented.

Are you able to follow up with these users further and get any network requests or console logs in their browser? We'll try to reproduce this in our side, but still not quite sure how.

xconverge commented 1 month ago

Edit: This (below text and my issue) all seems to be related to localhost, so probably not really relatecd to this issue and my apologies for the noise

I can open a separate issue if necessary but I am seeing the

UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in.
_AmplifyError — AmplifyError.ts:13
_AuthError — AuthError.ts:6
(anonymous function) — dispatchSignedInHubEvent.ts:18

EVERY time if I use safari when running locally. Chrome and FF both work fine but I am unable to log in to my application with safari and get this error.

This is my setup:

Amplify.configure({
  Auth: {
    Cognito: {
      userPoolId: xyz,
      userPoolClientId: xyz,
    },
  },
})
cognitoUserPoolsTokenProvider.setKeyValueStorage(
  // Set the cookie to expire in a few hours
  new CookieStorage({ expires: 0.1, sameSite: "strict", secure: true }),
)

Disabling secure: true for the cookie storage by leaving it undefined or setting it to false then allows me to login fine with safari. So something related to the secure cookies perhaps, seems to line up with the original issue/author?

Probably these: https://bugs.webkit.org/show_bug.cgi?id=281149 https://bugs.webkit.org/show_bug.cgi?id=232088

HuiSF commented 1 month ago

Hi @xconverge Safari restrictedly requires https protocol in order to set cookie attribute secure as true. More details see https://github.com/aws-amplify/amplify-js/issues/13182#issuecomment-2174640062

k1350 commented 4 weeks ago

@cwomack Due to the user experiencing issues with the application in Chrome, he has decided to stop using it, which has made it difficult to obtain network requests or logs.

The user mentioned that he was unable to log in even after disabling all extensions. I received a list of his installed extensions and conducted testing. As a result, I could not replicate the issue in my environment even with all extensions enabled.

The user appeared to have an antivirus-related toolbar installed, so I installed the antivirus software he likely uses, but I still couldn’t reproduce the issue.

This seems to be a unique situation that's difficult to replicate outside of the user’s specific environment.

I will reach out if I obtain any additional information, though it’s unlikely that we’ll find much more. Thank you for your assistance with this investigation.

cwomack commented 3 weeks ago

@k1350, sorry we couldn't help reproduce this or figure out the root cause. But if you have another user that experiences this and can find a way to get some logging around it or reproduce reliably, feel free to comment back and we can reopen the issue.

k1350 commented 2 weeks ago

@cwomack Another user has encountered an issue that seem likely to be related to this one.

Although we still haven’t been able to reproduce it, we’ve gathered more detailed information since our previous report, so we’d like to share it.

Application Configuration

In the previous comment, I mentioned:

In our application, we added a process that signout and redirects them to the top page when a NotAuthorizedException or UserNotFoundException occurs during the execution of fetchAuthSession yesterday. As a result, the user encountering this issue have reported that the top page reloads repeatedly.

However, we have since removed this process.

Additionally, I forgot to mention last time that we have another relevant implementation. Specifically, we have a mechanism to sign out and reload the page if a "tokenRefresh_failure" event occurs in Auth events.

Issue

Although the application appears to have signed out, a POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ by aws-amplify/auth/cognito's getCurrentUser fails with a 400 error status code.

This situation then leads to the screen reloading repeatedly on its own.

After manually deleting all cookies saved in Chrome over all time periods, the application returned to a normal signed-out state.

Hypothesis

It seems that, for some reason, cookies may not be deleting properly.

The previous user mentioned that "deleting cookies manually did not resolve the issue." However, this time, the user reported that "deleting cookies within a 4-week period didn’t work, but deleting them for the entire time period resolved the issue." It’s possible that the previous user may not have correctly deleted all cookies.

Additionally, it seems that even after repeatedly attempting the sign-out process, getCurrentUser continued to fail.

The following errors might be occurred alongside the 400 error from https://cognito-identity.ap-northeast-1.amazonaws.com/, as far as we could detect:

Moreover, In our application, if refreshTokens continues to fail for some reason, it could lead to repeated page reloads.

Thank you.

k1350 commented 1 week ago

@cwomack Hello. We were able to obtain the logs. Would it be possible for you to kindly reopen this issue?

Logs

Nov 13, 2024 07:37:16.250 AM UTC: User opened the application screen.

Nov 13, 2024 07:37:16.552 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.

Nov 13, 2024 07:37:16.554 AM UTC: A tokenRefresh_failure event occurred. (data.payload.data.error.name = "NotAuthorizedException", data.payload.data.error.message = "Refresh Token has expired".) User was signed out.

Nov 13, 2024 07:37:16.562 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:37:16.564 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:37:16.735 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:37:16.736 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:37:16.736 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:37:16.847 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetId) succeeded with a 200 status code.

Nov 13, 2024 07:37:16.861 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetCredentialsForIdentity) succeeded with a 200 status code.

Nov 13, 2024 07:37:25.642 AM UTC: User attempted to log in.

Nov 13, 2024 07:37:25.713 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.

Nov 13, 2024 07:37:25.714 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:37:25.936 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:37:26.012 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (InitiateAuth) succeeded with a 200 status code.

Nov 13, 2024 07:37:26.359 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RespondToAuthChallenge) succeeded with a 200 status code.

Nov 13, 2024 07:37:26.428 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.

Nov 13, 2024 07:37:26.429 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:37:26.432 AM UTC: Error "UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in" occurred.

Nov 13, 2024 07:40:08.198 AM UTC: User reloaded the application screen.

Nov 13, 2024 07:40:08.438 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.

Nov 13, 2024 07:40:08.514 AM UTC: A tokenRefresh_failure event occurred. (data.payload.data.error.name = "NotAuthorizedException", data.payload.data.error.message = "Refresh Token has expired".) User was signed out.

Nov 13, 2024 07:40:08.519 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:40:08.521 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:40:08.651 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:40:08.651 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:40:08.652 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:40:08.703 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetId) succeeded with a 200 status code.

Nov 13, 2024 07:40:08.704 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetId) succeeded with a 200 status code.

Nov 13, 2024 07:40:08.791 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetCredentialsForIdentity) succeeded with a 200 status code.

Nov 13, 2024 07:40:08.812 AM UTC: A POST request to https://cognito-identity.ap-northeast-1.amazonaws.com/ (GetCredentialsForIdentity) succeeded with a 200 status code.

Nov 13, 2024 07:40:14.475 AM UTC: User attempted to log in.

Nov 13, 2024 07:40:14.554 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.

Nov 13, 2024 07:40:14.555 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:40:14.757 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RevokeToken) succeeded with a 200 status code.

Nov 13, 2024 07:40:14.799 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (InitiateAuth) succeeded with a 200 status code.

Nov 13, 2024 07:40:15.181 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (RespondToAuthChallenge) succeeded with a 200 status code.

Nov 13, 2024 07:40:15.245 AM UTC: A POST request to https://cognito-idp.ap-northeast-1.amazonaws.com/ (likely a Refresh Token request) returned a 400 status code error.

Nov 13, 2024 07:40:15.246 AM UTC: A tokenRefresh_failure event occurred. User was signed out.

Nov 13, 2024 07:40:15.248 AM UTC: Error "UnexpectedSignInInterruptionException: Unable to get user session following successful sign-in" occurred.
k1350 commented 5 days ago

For those encountering a similar issue, here is the root cause that we identified:

The issue stems from using @aws-amplify/adapter-nextjs to set cookies on the server-side. When this library sets cookies, the domain field is set with a default value, which is not documented but is mentioned in the following comment:

https://github.com/aws-amplify/amplify-js/issues/12866#issuecomment-1909220118

In our case, we explicitly specified the domain field in the cookie configuration as follows:

'use client';

import { Amplify } from 'aws-amplify';
import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';
import { CookieStorage } from 'aws-amplify/utils';
import { amplifyConfig } from '..';

Amplify.configure(amplifyConfig, { ssr: true });

cognitoUserPoolsTokenProvider.setKeyValueStorage(
  new CookieStorage({
  domain: "example.com",
  secure: true,
  path: '/',
  sameSite: 'lax',
  expires: 30,
}),
);

export function ConfigureAmplifyClientSide() {
  return null;
}

However, when fetchAuthSession is executed within Next.js's Server Actions or Route Handlers and a token refresh is triggered, a cookie with a different domain field is set.

When the user logs out on the client side, cookies with a different domain field are not deleted. Eventually, these undeleted cookies expire, triggering a token refresh. Since the cookies with mismatched domain fields cannot be removed, token refresh continues to fail, leading to repeated attempts.

This was the reason for the login failure. When a login attempt is made, a token refresh failure event is triggered, causing valid cookies to be deleted.