fix(auth): add checks against random logouts (#4099)

* fix: only throw session expired for cognito provider

* add more protection against random logouts

* fix unit tests

* fix swift format

* Update AuthenticationProviderDeleteUserTests.swift

* reverting protected data changes

Author: harsh62

AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Actions/FetchAuthorizationSession/InformSessionError.swift

@@ -21,7 +21,7 @@ struct InformSessionError: Action {
         logVerbose("\(#fileID) Starting execution", environment: environment)
         let event: AuthorizationEvent = switch error {
         case .service(let serviceError):
-            if isNotAuthorizedError(serviceError) {
+            if serviceError is AWSCognitoIdentityProvider.NotAuthorizedException {
                 .init(eventType: .throwError(
                     .sessionExpired(error: serviceError)))
             } else {
@@ -34,11 +34,6 @@ struct InformSessionError: Action {
         logVerbose("\(#fileID) Sending event \(event.type)", environment: environment)
         await dispatcher.send(event)
     }
-
-    func isNotAuthorizedError(_ error: Error) -> Bool {
-        error is AWSCognitoIdentity.NotAuthorizedException
-        || error is AWSCognitoIdentityProvider.NotAuthorizedException
-    }
 }
 
 extension InformSessionError: DefaultLogger {

AmplifyPlugins/Auth/Sources/AWSCognitoAuthPlugin/Support/Helpers/AuthCognitoTokens+Validation.swift

@@ -13,18 +13,19 @@ extension AWSCognitoUserPoolTokens {
 
     func doesExpire(in seconds: TimeInterval = 0) -> Bool {
 
-        let currentTime = Date(timeIntervalSinceNow: seconds)
         guard let idTokenClaims = try? AWSAuthService().getTokenClaims(tokenString: idToken).get(),
               let accessTokenClaims = try? AWSAuthService().getTokenClaims(tokenString: accessToken).get(),
               let idTokenExpiration = idTokenClaims["exp"]?.doubleValue,
               let accessTokenExpiration = accessTokenClaims["exp"]?.doubleValue
         else {
-            return currentTime > expiration
+            // If token parsing fails, return as expired, to just force refresh
+            return true
         }
 
         let idTokenExpiry = Date(timeIntervalSince1970: idTokenExpiration)
         let accessTokenExpiry = Date(timeIntervalSince1970: accessTokenExpiration)
 
+        let currentTime = Date(timeIntervalSinceNow: seconds)
         return currentTime > idTokenExpiry || currentTime > accessTokenExpiry
     }
 

AmplifyPlugins/Auth/Tests/AWSCognitoAuthPluginUnitTests/TaskTests/ClientBehaviorTests/AuthenticationProviderDeleteUserTests.swift

@@ -141,7 +141,17 @@ class AuthenticationProviderDeleteUserTests: BasePluginTest {
         mockIdentityProvider = MockIdentityProvider(
             mockRevokeTokenResponse: { _ in
                 RevokeTokenOutput()
-            }, mockGlobalSignOutResponse: { _ in
+            },
+            mockGetTokensFromRefreshTokenResponse: { _ in
+                return GetTokensFromRefreshTokenOutput(
+                    authenticationResult: .init(
+                        accessToken: "accessTokenNew",
+                        expiresIn: 100,
+                        idToken: "idTokenNew",
+                        refreshToken: "refreshTokenNew"
+                    ))
+            },
+            mockGlobalSignOutResponse: { _ in
                 GlobalSignOutOutput()
             },
             mockDeleteUserOutput: { _ in