fix(auth): Return session expired on revoke token (#2652)

Author: royjit

AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Actions/FetchAuthorizationSession/FetchIdentity/FetchAuthIdentityId.swift

@@ -65,10 +65,8 @@ struct FetchAuthIdentityId: Action {
     }
 
     func isNotAuthorizedError(_ error: Error) -> Bool {
-        if case .client(let clientError, _) = error as? SdkError<GetIdOutputError>,
-           case .retryError(let serviceError) = clientError,
-           let sdkError = serviceError as? SdkError<GetIdOutputError>,
-           case .service(let getIdError, _ ) = sdkError,
+
+        if let getIdError: GetIdOutputError = error.internalAWSServiceError(),
            case .notAuthorizedException = getIdError {
             return true
         }

AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Actions/FetchAuthorizationSession/InformSessionError.swift

@@ -37,12 +37,14 @@ struct InformSessionError: Action {
     }
 
     func isNotAuthorizedError(_ error: Error) -> Bool {
-        if let initiateAuthError = error as? InitiateAuthOutputError,
-           case .notAuthorizedException = initiateAuthError {
+
+
+        if let serviceError: GetCredentialsForIdentityOutputError = error.internalAWSServiceError(),
+           case .notAuthorizedException = serviceError {
             return true
         }
-        if let initiateAuthError = error as? GetCredentialsForIdentityOutputError,
-           case .notAuthorizedException = initiateAuthError {
+        if let serviceError: InitiateAuthOutputError = error.internalAWSServiceError(),
+           case .notAuthorizedException = serviceError {
             return true
         }
         return false

AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Service/ErrorMapping/SdkError+AuthError.swift

@@ -82,3 +82,51 @@ extension SdkError: AuthErrorConvertible {
     }
 
 }
+
+extension Error {
+    func internalAWSServiceError<E>() -> E? {
+        if let internalError = self as? E {
+            return internalError
+        }
+
+        if let sdkError = self as? SdkError<E> {
+            return sdkError.internalAWSServiceError()
+        }
+        return nil
+    }
+}
+
+extension SdkError {
+
+    func internalAWSServiceError<E>() -> E? {
+        switch self {
+
+        case .service(let error, _):
+            if let serviceError = error as? E {
+                return serviceError
+            }
+
+        case .client(let clientError, _):
+            return clientError.internalAWSServiceError()
+
+        default: break
+
+        }
+        return nil
+    }
+}
+
+extension ClientError {
+
+    func internalAWSServiceError<E>() -> E? {
+        switch self {
+        case .retryError(let retryError):
+            if let sdkError = retryError as? SdkError<E> {
+                return sdkError.internalAWSServiceError()
+            }
+
+        default: break
+        }
+        return nil
+    }
+}

AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/StateMachine/ErrorMapping/SignInError+Helper.swift

@@ -12,80 +12,39 @@ import AWSCognitoIdentityProvider
 
 extension SignInError {
 
-    var isUserUnConfirmed: Bool {
+    var isUserNotConfirmed: Bool {
         switch self {
         case .service(error: let serviceError):
-            if let cognitoError = serviceError as? SdkError<InitiateAuthOutputError>,
-               case .service(let serviceError, _) = cognitoError,
-               case .userNotConfirmedException = serviceError {
-                return true
-            } else if let cognitoError = serviceError as? SdkError<InitiateAuthOutputError>,
-                      case .client(let clientError, _) = cognitoError,
-                      case .retryError(let retryError) = clientError,
-                      let cognitoServiceError = retryError as? SdkError<InitiateAuthOutputError>,
-                      case .service(let internalServiceError, _) = cognitoServiceError,
-                      case .userNotConfirmedException = internalServiceError {
-                return true
-            } else if let cognitoError = serviceError as? SdkError<RespondToAuthChallengeOutputError>,
-                      case .service(let serviceError, _) = cognitoError,
-                      case .userNotConfirmedException = serviceError {
-                return true
-            } else if let cognitoError = serviceError as? SdkError<RespondToAuthChallengeOutputError>,
-                       case .client(let clientError, _) = cognitoError,
-                       case .retryError(let retryError) = clientError,
-                       let cognitoServiceError = retryError as? SdkError<RespondToAuthChallengeOutputError>,
-                       case .service(let internalServiceError, _) = cognitoServiceError,
-                       case .userNotConfirmedException = internalServiceError {
-                 return true
-             } else if let cognitoError = serviceError as? InitiateAuthOutputError,
-                      case .userNotConfirmedException = cognitoError {
+
+            if let internalError: InitiateAuthOutputError = serviceError.internalAWSServiceError(),
+               case .userNotConfirmedException = internalError {
                 return true
-            } else if let cognitoError = serviceError as? RespondToAuthChallengeOutputError,
-                      case .userNotConfirmedException = cognitoError {
+            }
+
+            if let internalError: RespondToAuthChallengeOutputError = serviceError.internalAWSServiceError(),
+               case .userNotConfirmedException = internalError {
                 return true
             }
-            return false
-        default:
-            return false
+        default: break
         }
+        return false
     }
 
     var isResetPassword: Bool {
         switch self {
         case .service(error: let serviceError):
-            if let cognitoError = serviceError as? SdkError<InitiateAuthOutputError>,
-               case .service(let serviceError, _) = cognitoError,
-               case .passwordResetRequiredException = serviceError {
+            if let internalError: InitiateAuthOutputError = serviceError.internalAWSServiceError(),
+               case .passwordResetRequiredException = internalError {
                 return true
-            }  else if let cognitoError = serviceError as? SdkError<InitiateAuthOutputError>,
-                       case .client(let clientError, _) = cognitoError,
-                       case .retryError(let retryError) = clientError,
-                       let cognitoServiceError = retryError as? SdkError<InitiateAuthOutputError>,
-                       case .service(let internalServiceError, _) = cognitoServiceError,
-                       case .passwordResetRequiredException = internalServiceError {
-                 return true
-             } else if let cognitoError = serviceError as? SdkError<RespondToAuthChallengeOutputError>,
-                      case .service(let serviceError, _) = cognitoError,
-                      case .passwordResetRequiredException = serviceError {
-                return true
-            } else if let cognitoError = serviceError as? SdkError<RespondToAuthChallengeOutputError>,
-                      case .client(let clientError, _) = cognitoError,
-                      case .retryError(let retryError) = clientError,
-                      let cognitoServiceError = retryError as? SdkError<RespondToAuthChallengeOutputError>,
-                      case .service(let internalServiceError, _) = cognitoServiceError,
-                      case .passwordResetRequiredException = internalServiceError {
-                return true
-            } else if let cognitoError = serviceError as? InitiateAuthOutputError,
-                      case .passwordResetRequiredException = cognitoError {
-                return true
-            } else if let cognitoError = serviceError as? RespondToAuthChallengeOutputError,
-                      case .passwordResetRequiredException = cognitoError {
+            }
+
+            if let internalError: RespondToAuthChallengeOutputError = serviceError.internalAWSServiceError(),
+               case .passwordResetRequiredException = internalError {
                 return true
             }
-            return false
-        default:
-            return false
+        default: break
         }
+        return false
     }
 }
 

AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Support/Helpers/UserPoolSignInHelper.swift

@@ -53,7 +53,7 @@ struct UserPoolSignInHelper {
     }
 
     private static func validateError(signInError: SignInError) throws -> AuthSignInResult {
-        if signInError.isUserUnConfirmed {
+        if signInError.isUserNotConfirmed {
             return AuthSignInResult(nextStep: .confirmSignUp(nil))
         } else if signInError.isResetPassword {
             return AuthSignInResult(nextStep: .resetPassword(nil))

AmplifyPlugins/Auth/Tests/AWSCognitoAuthPluginUnitTests/TaskTests/AuthorizationTests/AWSAuthFetchSignInSessionOperationTests.swift

@@ -13,6 +13,7 @@ import XCTest
 import AWSCognitoIdentity
 import AWSCognitoIdentityProvider
 import AWSPluginsCore
+import ClientRuntime
 
 @testable import AWSPluginsTestCommon
 
@@ -634,4 +635,59 @@ class AWSAuthFetchSignInSessionOperationTests: BaseAuthorizationTests {
             return
         }
     }
+
+    /// Test signedIn session with notAuthorized error
+    ///
+    /// - Given: Given an auth plugin with signedIn state
+    /// - When:
+    ///    - I invoke fetchAuthSession and mock notAuthorizedError
+    /// - Then:
+    ///    - I should get an a valid session with the following details:
+    ///         - isSignedIn = true
+    ///         - aws credentails = .sessionExpired
+    ///         - identity id = .sessionExpired
+    ///         - cognito tokens = .sessionExpired
+    ///
+    func testSignInSessionWithNotAuthorizedError() async throws {
+        let initialState = AuthState.configured(
+            AuthenticationState.signedIn(.testData),
+            AuthorizationState.sessionEstablished(
+                AmplifyCredentials.testDataWithExpiredTokens))
+
+        let initAuth: MockIdentityProvider.MockInitiateAuthResponse = { _ in
+            let notAuthorized = InitiateAuthOutputError.notAuthorizedException(.init(message: "NotAuthorized"))
+            let serviceError = SdkError<InitiateAuthOutputError>.service(notAuthorized, .init(body: .none, statusCode: .accepted))
+            let clientError = ClientError.retryError(serviceError)
+            throw SdkError<InitiateAuthOutputError>.client(clientError, nil)
+        }
+
+        let plugin = configurePluginWith(
+            userPool: { MockIdentityProvider(mockInitiateAuthResponse: initAuth) },
+            initialState: initialState)
+
+        let session = try await plugin.fetchAuthSession(options: AuthFetchSessionRequest.Options())
+
+        XCTAssertTrue(session.isSignedIn)
+        let credentialsResult = (session as? AuthAWSCredentialsProvider)?.getAWSCredentials()
+
+        guard case .failure(let error) = credentialsResult,
+                case .sessionExpired = error else {
+            XCTFail("Should return sessionExpired error")
+            return
+        }
+
+        let identityIdResult = (session as? AuthCognitoIdentityProvider)?.getIdentityId()
+        guard case .failure(let identityIdError) = identityIdResult,
+              case .sessionExpired = identityIdError else {
+            XCTFail("Should return sessionExpired error")
+            return
+        }
+
+        let tokensResult = (session as? AuthCognitoTokensProvider)?.getCognitoTokens()
+        guard case .failure(let tokenError) = tokensResult,
+              case .sessionExpired = tokenError else {
+            XCTFail("Should return sessionExpired error")
+            return
+        }
+    }
 }