fix(auth): handle NaN clockDrift to fix token auto-refresh (#14618)

pgbezerra · claude · pgbezerra · commit af45f261516e · 2026-01-26T17:55:41.000-03:00
Fix automatic token refresh failing silently when clockDrift is NaN.
This addresses the issue where fetchAuthSession() does not auto-refresh
expired tokens for CUSTOM_WITHOUT_SRP auth flow.

## Root Cause

When clockDrift is NaN, the token expiration check always returns false:

```javascript
// isTokenExpired.ts (before)
return currentTime + clockDrift + tolerance &gt; expiresAt;
//     currentTime + NaN + tolerance = NaN
//     NaN &gt; expiresAt = false (always)
```

This causes expired tokens to never be detected as expired, preventing
automatic refresh.

## How clockDrift becomes NaN

In TokenStore.loadTokens(), clockDrift is parsed from storage:

```javascript
const clockDriftString = (await storage.getItem(key)) ?? '0';
const clockDrift = Number.parseInt(clockDriftString);
```

The nullish coalescing operator (??) only handles null/undefined, not
empty strings. If clockDrift is stored as "" (empty string):

| Stored Value | ?? '0' result | parseInt() result |
|--------------|---------------|-------------------|
| null         | '0'           | 0 ✓               |
| '123'        | '123'         | 123 ✓             |
| ''           | '' (falsy!)   | NaN ✗             |

This can happen with custom KeyValueStorage implementations or when
certain auth flows don't properly initialize the clockDrift value.

## Fix

Added three-layer defense against NaN clockDrift:

1. **TokenStore.ts**: Sanitize at load time
   ```javascript
   const parsedClockDrift = Number.parseInt(clockDriftString);
   const clockDrift = Number.isNaN(parsedClockDrift) ? 0 : parsedClockDrift;
   ```

2. **TokenOrchestrator.ts**: Use || instead of ?? for fallback
   ```javascript
   clockDrift: tokens.clockDrift || 0  // NaN || 0 = 0
   // vs
   clockDrift: tokens.clockDrift ?? 0  // NaN ?? 0 = NaN
   ```

3. **isTokenExpired.ts**: Final safety net
   ```javascript
   const safeClockDrift = Number.isNaN(clockDrift) ? 0 : clockDrift;
   ```

## Test Coverage

Added comprehensive tests for clockDrift edge cases:
- NaN clockDrift with expired tokens triggers refresh
- NaN clockDrift with valid tokens does not trigger refresh
- undefined clockDrift with expired tokens triggers refresh
- Positive/negative/zero clockDrift handled correctly

Co-Authored-By: Claude Opus 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/packages/auth/__tests__/providers/cognito/tokenProvider/tokenOrchestrator.test.ts b/packages/auth/__tests__/providers/cognito/tokenProvider/tokenOrchestrator.test.ts
@@ -450,5 +450,115 @@ describe('tokenOrchestrator', () => {
 				}),
 			);
 		});
+
+		describe('clockDrift edge cases', () => {
+			it('should trigger refresh when clockDrift is NaN and token is expired', async () => {
+				const now = Math.floor(Date.now() / 1000);
+				const pastExp = now - 3600; // 1 hour ago
+				const expiredTokensWithNaNClockDrift: CognitoAuthTokens = {
+					accessToken: {
+						payload: {
+							exp: pastExp,
+							iat: pastExp - 3600,
+						},
+						toString: () => 'mock-expired-access-token',
+					},
+					idToken: {
+						payload: {
+							exp: pastExp,
+							iat: pastExp - 3600,
+						},
+						toString: () => 'mock-expired-id-token',
+					},
+					refreshToken: 'mock-refresh-token',
+					clockDrift: NaN,
+					username: 'testuser',
+				};
+				const newTokens = createTokens();
+				mockTokenStore.loadTokens.mockResolvedValue(
+					expiredTokensWithNaNClockDrift,
+				);
+				mockTokenStore.getLastAuthUser.mockResolvedValue('testuser');
+				mockTokenRefresher.mockResolvedValue(newTokens);
+
+				const result = await tokenOrchestrator.getTokens();
+
+				expect(mockTokenRefresher).toHaveBeenCalledWith(
+					expect.objectContaining({
+						tokens: expiredTokensWithNaNClockDrift,
+						username: 'testuser',
+					}),
+				);
+				expect(result?.accessToken).toEqual(newTokens.accessToken);
+			});
+
+			it('should not trigger refresh when clockDrift is NaN but token is still valid', async () => {
+				const now = Math.floor(Date.now() / 1000);
+				const futureExp = now + 3600; // 1 hour from now
+				const validTokensWithNaNClockDrift: CognitoAuthTokens = {
+					accessToken: {
+						payload: {
+							exp: futureExp,
+							iat: now,
+						},
+						toString: () => 'mock-access-token',
+					},
+					idToken: {
+						payload: {
+							exp: futureExp,
+							iat: now,
+						},
+						toString: () => 'mock-id-token',
+					},
+					refreshToken: 'mock-refresh-token',
+					clockDrift: NaN,
+					username: 'testuser',
+				};
+				mockTokenStore.loadTokens.mockResolvedValue(
+					validTokensWithNaNClockDrift,
+				);
+				mockTokenStore.getLastAuthUser.mockResolvedValue('testuser');
+
+				const result = await tokenOrchestrator.getTokens();
+
+				expect(mockTokenRefresher).not.toHaveBeenCalled();
+				expect(result?.accessToken).toBeDefined();
+			});
+
+			it('should trigger refresh when clockDrift is undefined and token is expired', async () => {
+				const now = Math.floor(Date.now() / 1000);
+				const pastExp = now - 3600; // 1 hour ago
+				const expiredTokensWithUndefinedClockDrift = {
+					accessToken: {
+						payload: {
+							exp: pastExp,
+							iat: pastExp - 3600,
+						},
+						toString: () => 'mock-expired-access-token',
+					},
+					idToken: {
+						payload: {
+							exp: pastExp,
+							iat: pastExp - 3600,
+						},
+						toString: () => 'mock-expired-id-token',
+					},
+					refreshToken: 'mock-refresh-token',
+					clockDrift: undefined,
+					username: 'testuser',
+				} as unknown as CognitoAuthTokens;
+				const newTokens = createTokens();
+				mockTokenStore.loadTokens.mockResolvedValue(
+					expiredTokensWithUndefinedClockDrift,
+				);
+				mockTokenStore.getLastAuthUser.mockResolvedValue('testuser');
+				mockTokenRefresher.mockResolvedValue(newTokens);
+
+				const result = await tokenOrchestrator.getTokens();
+
+				expect(mockTokenRefresher).toHaveBeenCalled();
+				expect(result?.accessToken).toEqual(newTokens.accessToken);
+			});
+		});
 	});
 });
diff --git a/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts b/packages/auth/src/providers/cognito/tokenProvider/TokenOrchestrator.ts
@@ -126,11 +126,11 @@ export class TokenOrchestrator implements AuthTokenOrchestrator {
 			!!tokens?.idToken &&
 			isTokenExpired({
 				expiresAt: (tokens.idToken?.payload?.exp ?? 0) * 1000,
-				clockDrift: tokens.clockDrift ?? 0,
+				clockDrift: tokens.clockDrift || 0,
 			});
 		const accessTokenExpired = isTokenExpired({
 			expiresAt: (tokens.accessToken?.payload?.exp ?? 0) * 1000,
-			clockDrift: tokens.clockDrift ?? 0,
+			clockDrift: tokens.clockDrift || 0,
 		});
 
 		if (options?.forceRefresh || idTokenExpired || accessTokenExpired) {
diff --git a/packages/auth/src/providers/cognito/tokenProvider/TokenStore.ts b/packages/auth/src/providers/cognito/tokenProvider/TokenStore.ts
@@ -70,7 +70,8 @@ export class DefaultTokenStore implements AuthTokenStore {
 
 			const clockDriftString =
 				(await this.getKeyValueStorage().getItem(authKeys.clockDrift)) ?? '0';
-			const clockDrift = Number.parseInt(clockDriftString);
+			const parsedClockDrift = Number.parseInt(clockDriftString);
+			const clockDrift = Number.isNaN(parsedClockDrift) ? 0 : parsedClockDrift;
 
 			const signInDetails = await this.getKeyValueStorage().getItem(
 				authKeys.signInDetails,
diff --git a/packages/core/__tests__/utils/isTokenExpired.test.ts b/packages/core/__tests__/utils/isTokenExpired.test.ts
@@ -53,4 +53,58 @@ describe('isTokenExpired', () => {
 
 		expect(result).toBe(false);
 	});
+
+	describe('clockDrift edge cases', () => {
+		it('should treat NaN clockDrift as 0 and correctly detect expired token', () => {
+			const result = isTokenExpired({
+				expiresAt: Date.now() - 1000, // expired 1 second ago
+				clockDrift: NaN,
+				tolerance: 0,
+			});
+
+			expect(result).toBe(true);
+		});
+
+		it('should treat NaN clockDrift as 0 and correctly detect valid token', () => {
+			const result = isTokenExpired({
+				expiresAt: Date.now() + 10000, // expires in 10 seconds
+				clockDrift: NaN,
+				tolerance: 0,
+			});
+
+			expect(result).toBe(false);
+		});
+
+		it('should handle positive clockDrift correctly', () => {
+			// With positive clockDrift, effective time is ahead
+			const result = isTokenExpired({
+				expiresAt: Date.now() + 1000, // expires in 1 second
+				clockDrift: 2000, // but we're 2 seconds ahead
+				tolerance: 0,
+			});
+
+			expect(result).toBe(true);
+		});
+
+		it('should handle negative clockDrift correctly', () => {
+			// With negative clockDrift, effective time is behind
+			const result = isTokenExpired({
+				expiresAt: Date.now() - 1000, // expired 1 second ago
+				clockDrift: -2000, // but we're 2 seconds behind
+				tolerance: 0,
+			});
+
+			expect(result).toBe(false);
+		});
+
+		it('should handle zero clockDrift correctly', () => {
+			const result = isTokenExpired({
+				expiresAt: Date.now() + 1000,
+				clockDrift: 0,
+				tolerance: 0,
+			});
+
+			expect(result).toBe(false);
+		});
+	});
 });
diff --git a/packages/core/src/utils/isTokenExpired.ts b/packages/core/src/utils/isTokenExpired.ts
@@ -11,6 +11,8 @@ export function isTokenExpired({
 	tolerance?: number;
 }): boolean {
 	const currentTime = Date.now();
+	// Treat NaN clockDrift as 0 for safety (NaN comparisons always return false)
+	const safeClockDrift = Number.isNaN(clockDrift) ? 0 : clockDrift;
 
-	return currentTime + clockDrift + tolerance > expiresAt;
+	return currentTime + safeClockDrift + tolerance > expiresAt;
 }

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@ export function isTokenExpired({`
`11`	`11`	`tolerance?: number;`
`12`	`12`	`}): boolean {`
`13`	`13`	`const currentTime = Date.now();`
	`14`	`+ // Treat NaN clockDrift as 0 for safety (NaN comparisons always return false)`
	`15`	`+ const safeClockDrift = Number.isNaN(clockDrift) ? 0 : clockDrift;`
`14`	`16`
`15`		`- return currentTime + clockDrift + tolerance > expiresAt;`
	`17`	`+ return currentTime + safeClockDrift + tolerance > expiresAt;`
`16`	`18`	`}`