Inconsistent behavior when session expires (refresh token dead)

[dcristolovean]

Describe the bug

I'm transitioning from AWSMobileClient to Amplify and it's a huge endeavor. I'm a bit stuck with handling session expiration cases and it might be a bug (or intended behavior, but then see the questions).
My app is configured to use auth user AND non-auth users.

So, let's assume in my Amplify.Hub.listen (...) I receive the sessionExpired event.
This leaves me in a totally inconsistent state, where, I would like to revert to a non-auth user and continue using the app. Or display something, doesn't matter.

But when I get the sessionExpired event, nothing works anymore: fetchAuthSession is dead, getIdentityId is dead, API calls are dead.
And the reason for that is that the fetchAuthSession returns isSignedIn = true and still has a user stalled somewhere.

The only way I could transition back to a non auth user is to call Amplify.Auth.signOut() and actually get rid of my bad user. After that, everything works again, I am a non-auth user.

This approach has one big problem: the user plays in the app and suddenly he gets the system dialog to sign in. We all know the issue with that text in the system dialog. It's really bad to just show this dialog out of the blue. And they might press CANCEL.

So... how can I get rid of the logged in user with the expired session ? Silently, not showing anything to the user.

PS: (Rant) The documentation is, again, completely useless, doesn't explain anything, doesn't give any actual real world examples. I'm using AWS for 10 years now and this was always the weak link. I expected Amplify to finally fix this issue, but unfortunately the documentation is just as useless as before.

PS2: Interestingly enough, on Android, according to my colleague, when he gets a sessionExpired in the Hub, calling fetchAuthSession magically fixes everything, session doesn't show signed in anymore and no user left to sign out and he's a non-auth user with a new identityId.

Steps To Reproduce

Kinda hard to provide some steps, it's a more generic theoretical question

Expected behavior

1. Either clean up the user when sessionExpires automatically and make sure we have an non-auth user working.
2. Provide another signOut() way without web. I use SSO and I need the cookies. This user is actually local, the session is dead anyway, so not really sure what a webpage is supposed to do with it and why it's needed to log out in this case.

Amplify Framework Version

2.45.2

Amplify Categories

Auth

Dependency manager

Swift PM

Platforms

iOS

[edisooon]

Hi @dcristolovean , thank you for submitting this issue. One of our team members will take a look into this matter and provide with an answer here.

[dcristolovean]

I discovered also an interesting behavior. So the session is dead and I call signOut(). I press CANCEL on the system dialog but the user is logged out and session can be fixed now, with fetch.

Which leads me to believe that signOut() has 2 parts: one on API side, web stuff, it works if there's a session valid, otherwise .... and one local part that cleans up the local user. The thing is that if the 1st part fails (or i press cancel), you still clean up local stuff and everything will work from now on.

At least there's that, but if I'm right, then you really should have a signOut() method that actually detects the session is dead so there's no point for any web stuff or any system dialog to be displayed and only do the local part.

And another thing. If the session expires when the app is opened, you have to handle the error from the API, which is nowhere to be found in the doc. Putting some prints when you detect an API error is not a documentation.
After digging around, I hope this is it:

if let apiError = error as? APIError {
switch apiError {
.......
case .operationError(let errorMessage, let recoverySuggestion, let underlyingError):

}
}

[harsh62]

So... how can I get rid of the logged in user with the expired session ? Silently, not showing anything to the user.

@dcristolovean There is currently no way of achieving a silent logout if you are using HostedUI via non private session. I am discussing this internally within the team to provide some kind of way to only sign out locally via an API option.

And another thing. If the session expires when the app is opened, you have to handle the error from the API, which is nowhere to be found in the doc. Putting some prints when you detect an API error is not a documentation.

I'll take this feedback and see if we are able to improve documentation around error handling.

[harsh62]

@dcristolovean I tried fixing the issues in the attached PR.. Are you able to validate if this fixes your problem?

The fix:

• The system will cache if a session has expired, by using the fetchAuthSession results during a session expired event.
• The system will check if the session expired during hosted ui sign out, if yes, it will ignore the users cancel, since expired credentials are worthless.

Let me know if this works and you have any feedback.

[dcristolovean]

I will test at some point, but not right now, I got the code into a very stable version and can't risk it at the moment.
BUT: as long as Amplify does the logout silently locally when session is expired, without opening a useless webpage and prompting the user with the wrong apple text, we're golden! :)