marmelab/ra-auth-cognito

Incorrect redirection on session expiration with Cognito/Google

stripethree opened this issue · 3 comments

stripethree commented

When a session expires, ra-auth-cognito does not appear to correctly redirect a user to the Cognito hosted UI.

In this state, this is what appears to happen, in chronological order:

  • getPermissions is called in the authProvider
    • the call to userPool.getCurrentUser() returns a valid user
    • the call to user.getSession returns an error: Cannot retrieve a new session. Please authenticate.
    • getPermissions returns Promise.reject with the error
  • checkAuth is called in the authProvider
    • the call to userPool.getCurrentUser() returns a valid user
    • the call to user.getSession returns an error: Cannot retrieve a new session. Please authenticate.
    • checkAuth returns Promise.reject with the error

If the {loginPage} attribute on <Admin> is set to Login (from this library), the user is forwarded to the Login view. This is not useful since username/password is not enabled. There appears to be no way to return to the Cognito Hosted UI login page without manually updating the URL in the location bar. Clearing browser data, navigating back to the applications root URL, etc. all lead to this scenario.

Screen Shot 2023-03-02 at 4 21 50 PM

If the {loginPage} attribute on <Admin> is set to false, which makes sense given the information in #2, the screen is stuck on a loading view:

Screen Shot 2023-03-02 at 4 22 00 PM

Making the following change in authProvider.ts checkAuth function resolves the issue in my testing:

        user.getSession((err, session) => {
          if (err) {
            console.log(err);
            // log the error?
+            return redirectToOAuthIfNeeded(new HttpError('No user', 401));
-            return reject(err);
          }

Changing this in getPermissions is not possible without larger changes, given where the redirectToOAuthIfNeeded is currently defined.

More information on the configuration of the application I am developing and how I am testing

  • testing using Brave Version 1.48.164 Chromium: 110.0.5481.100 (Official Build) (arm64)
  • Cognito and Google project set up according to documentation in this repository, with the exception that the Cognito application is configured to us Google as the only identity provider. Cognito user pool is not enabled.
  • Hosted UI is enabled using a Cognito domain, no custom domains
  • Additional information on the configuration of the Cognito app client:
Authentication flows
ALLOW_CUSTOM_AUTH
ALLOW_REFRESH_TOKEN_AUTH
ALLOW_USER_SRP_AUTH

Authentication flow session duration
3 minutes

Refresh token expiration
60 minutes

Access token expiration
5 minutes

ID token expiration
5 minutes
  • Relevant package versions in the project:
    "amazon-cognito-identity-js": "^6.1.2",
    "ra-auth-cognito": "^1.0.0",
    "ra-core": "4.7.2",
    "ra-data-simple-rest": "4.8.1",
    "react": "^18.2.0",
    "react-admin": "4.7.1",
    "react-dom": "^18.2.0",
    "react-scripts": "5.0.1",

Please let me know if I can provide any more details that would help.

djhi commented

Thanks for the detailed report and the fix. I was able to reproduce it and fix it

  • 👍1
julienV commented

Hi, I still have this exact same issue with 1.0.1...

  • 👍3
julienV commented

please can you make a new release with the fix... it's in fact not in 1.0.1
image