fix(core): Add proper handling of expired credentials (#2637)

royjit · web-flow · commit 233b17999c82 · 2022-12-30T11:53:49.000-08:00
diff --git a/AmplifyPlugins/Core/AWSPluginsCore/Auth/Provider/AmplifyAWSCredentialsProvider.swift b/AmplifyPlugins/Core/AWSPluginsCore/Auth/Provider/AmplifyAWSCredentialsProvider.swift
@@ -27,10 +27,14 @@ extension AWSCredentials {
 
     func toAWSSDKCredentials() -> AWSClientRuntime.AWSCredentials {
         if let tempCredentials = self as? AWSTemporaryCredentials {
+
+            let expirationTimeSinceNow = tempCredentials.expiration.timeIntervalSinceNow
+            let expirationTimeout = UInt64(max(0, expirationTimeSinceNow))
+
             return AWSClientRuntime.AWSCredentials(
                 accessKey: tempCredentials.accessKeyId,
                 secret: tempCredentials.secretAccessKey,
-                expirationTimeout: UInt64(tempCredentials.expiration.timeIntervalSinceNow),
+                expirationTimeout: expirationTimeout,
                 sessionToken: tempCredentials.sessionToken)
         } else {
             return AWSClientRuntime.AWSCredentials(
diff --git a/AmplifyPlugins/Core/AWSPluginsCoreTests/Auth/AWSAuthServiceTests.swift b/AmplifyPlugins/Core/AWSPluginsCoreTests/Auth/AWSAuthServiceTests.swift
@@ -9,6 +9,7 @@ import XCTest
 
 @testable import Amplify
 @testable import AWSPluginsCore
+import AWSClientRuntime
 
 class AWSAuthServiceTests: XCTestCase {
 
@@ -153,4 +154,41 @@ class AWSAuthServiceTests: XCTestCase {
 
         XCTAssertEqual(iat, 1_551_307_661)
     }
+
+
+    /// Given: A credentials that will expire after 100 second
+    /// When: I convert the credentials to AWS SDK ClientRuntime
+    /// Then: I should get a valid CRT credentials
+    func testValidCredentialsToCRTConversion() throws {
+
+        let credentials = MockCredentials(
+            sessionToken: "somesession",
+            accessKeyId: "accessKeyId",
+            secretAccessKey: "secretAccessKey",
+            expiration: Date().addingTimeInterval(100))
+        let sdkCredentials = credentials.toAWSSDKCredentials()
+        XCTAssertNotNil(sdkCredentials)
+    }
+
+    /// Given: A credentials that expired 100 second back
+    /// When: I convert the credentials to AWS SDK ClientRuntime
+    /// Then: I should get a valid CRT credentials
+    func testExpiredCredentialsToCRTConversion() throws {
+
+        let credentials = MockCredentials(
+            sessionToken: "somesession",
+            accessKeyId: "accessKeyId",
+            secretAccessKey: "secretAccessKey",
+            expiration: Date().addingTimeInterval(-100))
+        let sdkCredentials = credentials.toAWSSDKCredentials()
+        XCTAssertNotNil(sdkCredentials)
+    }
+}
+
+
+struct MockCredentials: AWSTemporaryCredentials {
+    let sessionToken: String
+    let accessKeyId: String
+    let secretAccessKey: String
+    let expiration: Date
 }
