Cognito User Pools: renew sessions before expiry threshold and take into account client clock skew

Author: beostjer

aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java

@@ -24,6 +24,7 @@
 
 import com.amazonaws.AmazonClientException;
 import com.amazonaws.AmazonServiceException;
+import com.amazonaws.SDKGlobalConfiguration;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.AuthenticationContinuation;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.AuthenticationDetails;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.ForgotPasswordContinuation;
@@ -103,6 +104,8 @@
  */
 public class CognitoUser {
     private final String TAG = "CognitoUser";
+    /** Default threshold for refreshing session credentials */
+    public static final int DEFAULT_THRESHOLD_SECONDS = 500;
 
     /**
      * Application context.
@@ -620,6 +623,24 @@ public void getSession(final AuthenticationHandler callback) {
         }
     }
 
+    /**
+     * Returns true if a new session needs to be started. A new session
+     * is needed when no session has been started yet, or if the last session is
+     * within the configured refresh threshold.
+     *
+     * @return True if a new session needs to be started.
+     */
+    private boolean needsNewSession(CognitoUserSession userSession) {
+        if (userSession == null) {
+            return true;
+        }
+        long currentTime = System.currentTimeMillis()
+                - SDKGlobalConfiguration.getGlobalTimeOffset() * 1000;
+        long timeRemaining = userSession.getIdToken().getExpiration().getTime()
+                - currentTime;
+        return timeRemaining < (DEFAULT_THRESHOLD_SECONDS * 1000);
+    }
+
     /**
      * Call this method for valid, cached tokens for this user.
      *
@@ -630,19 +651,17 @@ private CognitoUserSession getCachedSession() {
             throw new CognitoNotAuthorizedException("User-ID is null");
         }
 
-        if (cipSession != null) {
-            if (cipSession.isValid()) {
-                return cipSession;
-            }
+        if (!needsNewSession(cipSession)) {
+            return cipSession;
         }
 
         // Read cached tokens
         CognitoUserSession cachedTokens = readCachedTokens();
 
-        // Return cached tokens if they are still valid
-        if (cachedTokens.isValid()) {
+        // Return cached tokens if they are still valid with some margin
+        if (!needsNewSession(cachedTokens)) {
             cipSession = cachedTokens;
-            return  cipSession;
+            return cipSession;
         }
 
         if (cachedTokens.getRefreshToken() != null) {

aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUserSession.java

@@ -17,6 +17,7 @@
 
 package com.amazonaws.mobileconnectors.cognitoidentityprovider;
 
+import com.amazonaws.SDKGlobalConfiguration;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoAccessToken;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoIdToken;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoRefreshToken;
@@ -27,6 +28,8 @@
  * This wraps all Cognito tokens for a user.
  */
 public class CognitoUserSession {
+    /** Default threshold for refreshing session credentials */
+    public static final int DEFAULT_THRESHOLD_SECONDS = 500;
     /**
      * Cognito identity token.
      */
@@ -88,8 +91,8 @@ public CognitoRefreshToken getRefreshToken() {
      * @return boolean to indicate if the access and id tokens have not expired.
      */
     public boolean isValid() {
-        Date currentTimeStamp = new Date();
-        
+        Date currentTimeStamp = new Date(System.currentTimeMillis()
+                - SDKGlobalConfiguration.getGlobalTimeOffset() * 1000);
         try {
             return (currentTimeStamp.before(idToken.getExpiration())
                     & currentTimeStamp.before(accessToken.getExpiration()));