fix(auth): Replace force unwrap to throw an error in AWS credentials (#1476)

Author: royjit

AmplifyPlugins/Auth/AWSCognitoAuthPlugin/Dependency/AuthorizationProviderAdapter+SignedInSession.swift

@@ -182,13 +182,19 @@ extension AuthorizationProviderAdapter {
                 self.fetchSignedInSession(withError: error, completionHandler)
                 return nil
             }
-            let amplifyCredentials = credentials.toAmplifyAWSCredentials()
-            let authSession = AWSAuthCognitoSession(isSignedIn: true,
-                                                    userSubResult: userSubResult,
-                                                    identityIdResult: .success(identityId),
-                                                    awsCredentialsResult: .success(amplifyCredentials),
-                                                    cognitoTokensResult: tokenResult)
-            completionHandler(.success(authSession))
+
+            do {
+                let amplifyCredentials = try credentials.toAmplifyAWSCredentials()
+                let authSession = AWSAuthCognitoSession(isSignedIn: true,
+                                                        userSubResult: userSubResult,
+                                                        identityIdResult: .success(identityId),
+                                                        awsCredentialsResult: .success(amplifyCredentials),
+                                                        cognitoTokensResult: tokenResult)
+                completionHandler(.success(authSession))
+            } catch {
+                let authError = AuthErrorHelper.toAuthError(error)
+                self.fetchSignedInSession(withError: authError, completionHandler)
+            }
             return nil
         }
     }

AmplifyPlugins/Auth/AWSCognitoAuthPlugin/Dependency/AuthorizationProviderAdapter+SignedOutSession.swift

@@ -61,11 +61,22 @@ extension AuthorizationProviderAdapter {
                 completionHandler(.success(authSession))
                 return nil
             }
-            let authSession = AuthCognitoSignedOutSessionHelper.makeSignedOutSession(
-                identityId: identityId,
-                awsCredentials: awsCredentials.toAmplifyAWSCredentials())
-            completionHandler(.success(authSession))
-            return nil
+
+            do {
+                let amplifyAWSCredentials = try awsCredentials.toAmplifyAWSCredentials()
+                let authSession = AuthCognitoSignedOutSessionHelper.makeSignedOutSession(
+                    identityId: identityId,
+                    awsCredentials: amplifyAWSCredentials
+                )
+                completionHandler(.success(authSession))
+                return nil
+
+            } catch {
+                let authSession = AuthCognitoSignedOutSessionHelper.makeSignedOutSession(withError: error)
+                completionHandler(.success(authSession))
+                return nil
+            }
+
         }
     }
 }

AmplifyPlugins/Auth/AWSCognitoAuthPlugin/Support/Utils/AWSCredentials+Extension.swift

@@ -7,16 +7,29 @@
 
 import Foundation
 import AWSCore
+import Amplify
 
 extension AWSCredentials {
 
-    func toAmplifyAWSCredentials() -> AuthAWSCognitoCredentials {
+    func toAmplifyAWSCredentials() throws -> AuthAWSCognitoCredentials {
+
         // Credentials are fetched through Cognito Identity Pool and thus these are temporary credentials
-        // so sessionKey and expiration date will not be nil.
-        let credentials = AuthAWSCognitoCredentials(accessKey: accessKey,
-                                                    secretKey: secretKey,
-                                                    sessionKey: sessionKey!,
-                                                    expiration: expiration!)
-        return credentials
+        // so sessionKey and expiration date should not be nil.
+        let nonNilAccessKey = accessKey
+        let nonNilSecretKey = secretKey
+        guard let nonNilSessionKey = sessionKey,
+              let nonNilExpiration = expiration,
+              !nonNilAccessKey.isEmpty,
+              !nonNilSecretKey.isEmpty else {
+                  let error = AuthError.unknown("""
+                      Could not retreive AWS credentials, credential value is nil or empty.
+                      """)
+                  throw error
+              }
+
+        return AuthAWSCognitoCredentials(accessKey: nonNilAccessKey,
+                                         secretKey: nonNilSecretKey,
+                                         sessionKey: nonNilSessionKey,
+                                         expiration: nonNilExpiration)
     }
 }

AmplifyPlugins/Auth/AWSCognitoAuthPlugin/Support/Utils/AuthErrorHelper.swift

@@ -171,6 +171,8 @@ struct AuthErrorHelper {
     static func toAuthError(_ error: Error) -> AuthError {
         if let awsMobileClientError = error as? AWSMobileClientError {
             return toAuthError(awsMobileClientError: awsMobileClientError)
+        } else if let authError = error as? AuthError {
+            return authError
         }
         return AuthError.unknown("An unknown error occurred", error)
 

AmplifyPlugins/Auth/AWSCognitoAuthPluginTests/AuthorizationProviderTests/AuthorizationProviderSessionSignInTests.swift

@@ -713,4 +713,61 @@ class AuthorizationProviderSessionSignInTests: BaseAuthorizationProviderTest {
         }
         wait(for: [resultExpectation], timeout: apiTimeout)
     }
+
+    /// Test signedIn session with nil values in AWS credentials
+    ///
+    /// - Given: Given an auth plugin with signedIn state
+    /// - When:
+    ///    - I invoke fetchAuthSession and mock nil values for aws credentials
+    /// - Then:
+    ///    - I should get an a valid session with the following details:
+    ///         - isSignedIn = true
+    ///         - aws credentails = unknown error
+    ///         - identity id = unknown error
+    ///         - cognito tokens = unknown error
+    ///
+    func testSignInSessionWithNilValuesAWSCredentials() {
+        mockAWSCredentials()
+        mockCognitoTokens()
+        mockIdentityId()
+        mockAWSMobileClient.awsCredentialsMockResult = .success(AWSCredentials(accessKey: "mockAccess",
+                                                                               secretKey: "mockSecret",
+                                                                               sessionKey: "mockSession",
+                                                                               expiration: nil))
+        let resultExpectation = expectation(description: "Should receive a result")
+        _ = plugin.fetchAuthSession(options: AuthFetchSessionRequest.Options()) { result in
+            defer {
+                resultExpectation.fulfill()
+            }
+            switch result {
+            case .success(let session):
+
+                XCTAssertTrue(session.isSignedIn)
+
+                let credentialsResult = (session as? AuthAWSCredentialsProvider)?.getAWSCredentials()
+                guard case .failure(let error) = credentialsResult,
+                      case .unknown = error else {
+                    XCTFail("Should return unknown error")
+                    return
+                }
+
+                let identityIdResult = (session as? AuthCognitoIdentityProvider)?.getIdentityId()
+                guard case .failure(let identityIdError) = identityIdResult,
+                      case .unknown = identityIdError else {
+                    XCTFail("Should return unknown error")
+                    return
+                }
+
+                let tokensResult = (session as? AuthCognitoTokensProvider)?.getCognitoTokens()
+                guard case .failure(let tokenError) = tokensResult,
+                      case .unknown = tokenError else {
+                    XCTFail("Should return unknown error")
+                    return
+                }
+            case .failure(let error):
+                XCTFail("Received failure with error \(error)")
+            }
+        }
+        wait(for: [resultExpectation], timeout: apiTimeout)
+    }
 }

AmplifyPlugins/Auth/AWSCognitoAuthPluginTests/AuthorizationProviderTests/AuthorizationProviderSessionSignoutTests.swift

@@ -880,4 +880,58 @@ class AuthorizationProviderSessionSignoutTests: BaseAuthorizationProviderTest {
         }
         wait(for: [resultExpectation], timeout: apiTimeout)
     }
+
+    /// Test signedOut session with session with nil values in AWS credentials
+    ///
+    /// - Given: Given an auth plugin with signedOut state and unauthenticated access enabled in backend
+    /// - When:
+    ///    - I invoke fetchAuthSession and mock nil values in aws credentials
+    /// - Then:
+    ///    - I should get an a valid session with the following details:
+    ///         - isSignedIn = false
+    ///         - aws credentails = .unknown error
+    ///         - identity id = .unknown error
+    ///         - cognito tokens = .signedOut error
+    func testSignedOutSessionWithNilAWSCredentials() {
+        mockIdentityId()
+        mockAWSMobileClient.awsCredentialsMockResult = .success(AWSCredentials(accessKey: "mockAccess",
+                                                                               secretKey: "mockSecret",
+                                                                               sessionKey: "mockSession",
+                                                                               expiration: nil))
+
+        let resultExpectation = expectation(description: "Should receive a result")
+        _ = plugin.fetchAuthSession(options: AuthFetchSessionRequest.Options()) { result in
+            defer {
+                resultExpectation.fulfill()
+            }
+            switch result {
+            case .success(let session):
+                XCTAssertFalse(session.isSignedIn)
+
+                let credentialsResult = (session as? AuthAWSCredentialsProvider)?.getAWSCredentials()
+                guard case .failure(let credentialsError) = credentialsResult,
+                      case .unknown = credentialsError else {
+                    XCTFail("Should return unknown error")
+                    return
+                }
+
+                let identityIdResult = (session as? AuthCognitoIdentityProvider)?.getIdentityId()
+                guard case .failure(let identityIdError) = identityIdResult,
+                      case .unknown = identityIdError else {
+                    XCTFail("Should return unknown error")
+                    return
+                }
+
+                let tokensResult = (session as? AuthCognitoTokensProvider)?.getCognitoTokens()
+                guard case .failure(let error) = tokensResult,
+                      case .signedOut = error else {
+                    XCTFail("Should return signedOut error")
+                    return
+                }
+            case .failure(let error):
+                XCTFail("Received failure with error \(error)")
+            }
+        }
+        wait(for: [resultExpectation], timeout: apiTimeout)
+    }
 }

AmplifyPlugins/Auth/Podfile.lock

@@ -10,26 +10,26 @@ PODS:
     - AWSCore (~> 2.26.1)
     - AWSMobileClient (~> 2.26.1)
     - AWSPluginsCore (= 1.15.2)
-  - AWSAuthCore (2.26.1):
-    - AWSCore (= 2.26.1)
-  - AWSCognitoIdentityProvider (2.26.1):
-    - AWSCognitoIdentityProviderASF (= 2.26.1)
-    - AWSCore (= 2.26.1)
-  - AWSCognitoIdentityProviderASF (2.26.1)
-  - AWSCore (2.26.1)
-  - AWSMobileClient (2.26.1):
-    - AWSAuthCore (= 2.26.1)
-    - AWSCognitoIdentityProvider (= 2.26.1)
-    - AWSCognitoIdentityProviderASF (= 2.26.1)
-    - AWSCore (= 2.26.1)
+  - AWSAuthCore (2.26.2):
+    - AWSCore (= 2.26.2)
+  - AWSCognitoIdentityProvider (2.26.2):
+    - AWSCognitoIdentityProviderASF (= 2.26.2)
+    - AWSCore (= 2.26.2)
+  - AWSCognitoIdentityProviderASF (2.26.2)
+  - AWSCore (2.26.2)
+  - AWSMobileClient (2.26.2):
+    - AWSAuthCore (= 2.26.2)
+    - AWSCognitoIdentityProvider (= 2.26.2)
+    - AWSCognitoIdentityProviderASF (= 2.26.2)
+    - AWSCore (= 2.26.2)
   - AWSPluginsCore (1.15.2):
     - Amplify (= 1.15.2)
     - AWSCore (~> 2.26.1)
   - CwlCatchException (1.0.2)
   - CwlPreconditionTesting (1.1.1):
     - CwlCatchException
   - SwiftFormat/CLI (0.44.17)
-  - SwiftLint (0.44.0)
+  - SwiftLint (0.45.0)
 
 DEPENDENCIES:
   - Amplify (from `../../`)
@@ -76,16 +76,16 @@ CHECKOUT OPTIONS:
 SPEC CHECKSUMS:
   Amplify: f0e9e511d05925a1dd7b2b097b13694b2015aa25
   AmplifyTestCommon: 283bd8bf694569b1dda7f40f40a8ad1f97784eeb
-  AWSAuthCore: 264faaa6af5990af2c77effe8f398a4b80e6c44e
-  AWSCognitoIdentityProvider: 5df455775b57eb4e61862acd88d93e56113950c4
-  AWSCognitoIdentityProviderASF: b2c180f69537d57ff485f7314fd266032ca3f898
-  AWSCore: 0f855e20ccb13e028932b737f0706023a9561399
-  AWSMobileClient: ba255030a481b8a123b21585548e761456efc64b
+  AWSAuthCore: c785a33af10a45aab6456a5fa7150f759dad836f
+  AWSCognitoIdentityProvider: 0bea89a822d7dd76c7dc62212561a1074dee0031
+  AWSCognitoIdentityProviderASF: 425d7f40fb6a520f8437a5f8b991215239ec620b
+  AWSCore: dd7f74ab3f354aad435f83afdbfac91bcb7d44c2
+  AWSMobileClient: fc20c58eaad166b3d2a569ef9ce691d6fed0c5dd
   AWSPluginsCore: ff09e8b86b7969327a1ba0b8c6946d83008cbf81
   CwlCatchException: 70a52ae44ea5d46db7bd385f801a94942420cd8c
   CwlPreconditionTesting: d33a4e4f285c0b885fddcae5dfedfbb34d4f3961
   SwiftFormat: 3b5caa6389b2b9adbc00e133b3ccc8c6e687a6a4
-  SwiftLint: e96c0a8c770c7ebbc4d36c55baf9096bb65c4584
+  SwiftLint: e5c7f1fba68eccfc51509d5b2ce1699f5502e0c7
 
 PODFILE CHECKSUM: 371cf67fe35ebb5167d0880bad12b01618a0fb0e