Merge pull request #164 from jeroenost/master

Fix Cognito User Pools token refresh and failure handling

Author: mreddyg

aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java

@@ -22,7 +22,9 @@
 import android.os.Handler;
 import android.util.Log;
 
+import com.amazonaws.AmazonClientException;
 import com.amazonaws.AmazonServiceException;
+import com.amazonaws.SDKGlobalConfiguration;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.AuthenticationContinuation;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.AuthenticationDetails;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.continuations.ForgotPasswordContinuation;
@@ -102,6 +104,8 @@
  */
 public class CognitoUser {
     private final String TAG = "CognitoUser";
+    /** Default threshold for refreshing session credentials */
+    public static final int DEFAULT_THRESHOLD_SECONDS = 500;
 
     /**
      * Application context.
@@ -619,6 +623,24 @@ public void getSession(final AuthenticationHandler callback) {
         }
     }
 
+    /**
+     * Returns true if a new session needs to be started. A new session
+     * is needed when no session has been started yet, or if the last session is
+     * within the configured refresh threshold.
+     *
+     * @return True if a new session needs to be started.
+     */
+    private boolean needsNewSession(CognitoUserSession userSession) {
+        if (userSession == null) {
+            return true;
+        }
+        long currentTime = System.currentTimeMillis()
+                - SDKGlobalConfiguration.getGlobalTimeOffset() * 1000;
+        long timeRemaining = userSession.getIdToken().getExpiration().getTime()
+                - currentTime;
+        return timeRemaining < (DEFAULT_THRESHOLD_SECONDS * 1000);
+    }
+
     /**
      * Call this method for valid, cached tokens for this user.
      *
@@ -629,33 +651,36 @@ private CognitoUserSession getCachedSession() {
             throw new CognitoNotAuthorizedException("User-ID is null");
         }
 
-        if (cipSession != null) {
-            if (cipSession.isValid()) {
-                return cipSession;
-            }
+        if (!needsNewSession(cipSession)) {
+            return cipSession;
         }
 
         // Read cached tokens
         CognitoUserSession cachedTokens = readCachedTokens();
 
-        // Return cached tokens if they are still valid
-        if (cachedTokens.isValid()) {
+        // Return cached tokens if they are still valid with some margin
+        if (!needsNewSession(cachedTokens)) {
             cipSession = cachedTokens;
-            return  cipSession;
+            return cipSession;
         }
 
-        // Clear any cached tokens, since none of them are valid.
-        clearCachedTokens();
-
         if (cachedTokens.getRefreshToken() != null) {
             // Use Refresh token to get new tokens
             try {
                 cipSession = refreshSessionInternal(cachedTokens.getRefreshToken());
                 cacheTokens(cipSession);
                 return cipSession;
-            } catch (Exception e) {
+            } catch (CognitoNotAuthorizedException e) {
+                // Clear any cached tokens, since none of them are valid.
+                clearCachedTokens();
                 // Could not get new tokens from refresh. Should authenticate user.
-                throw new CognitoNotAuthorizedException("user is not authenticated");
+                throw new CognitoNotAuthorizedException("user is not authenticated",e);
+            } catch (AmazonClientException e) {
+                // General IO errors - not clearing cached tokens
+                throw new AmazonClientException("failed to get new tokens from refresh",e);
+            } catch (Exception e) {
+                // Errors like NetworkOnMainThreadException etc - not clearing cached tokens.
+                throw new AmazonClientException("failed to get new tokens from refresh",e);
             }
         }
         throw new CognitoNotAuthorizedException("user is not authenticated");
@@ -2018,7 +2043,7 @@ private CognitoUserSession refreshSessionInternal(CognitoRefreshToken refreshTok
                     cognitoIdentityProviderClient.refreshTokens(refreshTokensRequest);
             AuthenticationResultType authenticationResult = refreshTokensResult.getAuthenticationResult();
 
-            if (authenticationResult != null) {
+            if (authenticationResult == null) {
                 throw new CognitoNotAuthorizedException("user is not authenticated");
             }
 

aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUserSession.java

@@ -17,6 +17,7 @@
 
 package com.amazonaws.mobileconnectors.cognitoidentityprovider;
 
+import com.amazonaws.SDKGlobalConfiguration;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoAccessToken;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoIdToken;
 import com.amazonaws.mobileconnectors.cognitoidentityprovider.tokens.CognitoRefreshToken;
@@ -27,6 +28,8 @@
  * This wraps all Cognito tokens for a user.
  */
 public class CognitoUserSession {
+    /** Default threshold for refreshing session credentials */
+    public static final int DEFAULT_THRESHOLD_SECONDS = 500;
     /**
      * Cognito identity token.
      */
@@ -88,8 +91,8 @@ public CognitoRefreshToken getRefreshToken() {
      * @return boolean to indicate if the access and id tokens have not expired.
      */
     public boolean isValid() {
-        Date currentTimeStamp = new Date();
-        
+        Date currentTimeStamp = new Date(System.currentTimeMillis()
+                - SDKGlobalConfiguration.getGlobalTimeOffset() * 1000);
         try {
             return (currentTimeStamp.before(idToken.getExpiration())
                     & currentTimeStamp.before(accessToken.getExpiration()));