Skip to content

feat: Replace AWS Amplify with Direct Cognito OAuth Implementation#545

Open
DerekRoberts wants to merge 5 commits intomainfrom
feat/remove-aws-amplify-direct-cognito-oauth
Open

feat: Replace AWS Amplify with Direct Cognito OAuth Implementation#545
DerekRoberts wants to merge 5 commits intomainfrom
feat/remove-aws-amplify-direct-cognito-oauth

Conversation

@DerekRoberts
Copy link
Member

@DerekRoberts DerekRoberts commented Jan 12, 2026
edited by github-actions bot
Loading

Overview

This PR replaces the AWS Amplify dependency with a lightweight direct Cognito OAuth implementation, significantly reducing bundle size and dependencies while maintaining full authentication functionality including automatic token refresh.

Changes

Core Implementation

  • ✅ Created CognitoAuthService with complete OAuth flow
    • OAuth authorization URL construction
    • Token exchange (authorization code flow)
    • Cookie management with security settings
    • Automatic token refresh (every 2 minutes, matching Amplify behavior)
    • Token expiration checking (refreshes when expiring within 5 minutes)

Updated Components

  • ✅ Updated AuthProvider to use CognitoAuthService instead of Amplify
  • ✅ Removed Amplify configuration from index.tsx
  • ✅ Deleted amplifyconfiguration.ts (no longer needed)
  • ✅ Updated types to remove Amplify JWT dependency

Testing

  • ✅ Updated AuthProvider tests to mock CognitoAuthService
  • ✅ Updated index.test.tsx to remove Amplify mocks
  • ✅ Created comprehensive CognitoAuthService.test.ts with test coverage

Dependencies

  • ✅ Removed aws-amplify from package.json
  • ✅ Updated package-lock.json (155 packages removed)

Documentation

  • ✅ Updated COOKIE_SECURITY.md to reflect new implementation
  • ✅ Updated Sonar exclusions

Benefits

Bundle Size Reduction

  • 155 packages removed (including transitive dependencies)
  • ~39 MB removed from node_modules
  • ~140-190 KB reduction in production bundle (gzipped)

Security

  • 2 low-severity vulnerabilities removed
  • Reduced attack surface (fewer dependencies to audit)
  • Direct control over OAuth implementation

Maintenance

  • 15-28 hours/year saved on package updates and security audits
  • No dependency on external breaking changes
  • Full control over authentication flow

Session Management

Automatic token refresh is fully implemented and matches AWS Amplify behavior:

  • Tokens are automatically refreshed every 2 minutes (matching Amplify's 2-3 minute pattern)
  • Tokens are refreshed when expiring within 5 minutes (same buffer as Amplify)
  • Refresh happens in the background without user interruption
  • Session persists as long as refresh token is valid (typically 30 days)
  • Seamless user experience - no unexpected logouts

Testing

All existing tests have been updated and new tests added:

  • ✅ AuthProvider tests updated
  • ✅ CognitoAuthService tests created
  • ✅ No linting errors
  • ✅ All mocks updated for async token retrieval

Migration Notes

  • No breaking changes - API surface remains the same
  • Cookie format maintained (compatible with existing tokens)
  • OAuth flow unchanged (same Cognito endpoints)
  • Same security settings (SameSite, Secure, etc.)

Verification Checklist

  • All tests pass
  • No linting errors
  • Session management (auto-refresh) implemented
  • Token expiration handling
  • OAuth callback handling
  • Logout flow
  • Cookie security maintained
  • Documentation updated

Related

Addresses the concern about losing session manager functionality - automatic token refresh is fully implemented and matches Amplify's behavior.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

@DerekRoberts
feat: replace AWS Amplify with direct Cognito OAuth implementation
f49728c 
Replace AWS Amplify dependency with lightweight direct Cognito OAuth
implementation, reducing bundle size by ~39MB and removing 155 packages
while maintaining full authentication functionality including automatic
token refresh.

Key changes:
- Create CognitoAuthService with OAuth flow, token exchange, and cookie management
- Implement automatic token refresh (every 2 minutes) matching Amplify behavior
- Update AuthProvider to use CognitoAuthService instead of Amplify
- Remove aws-amplify dependency and all related packages
- Update tests to mock CognitoAuthService
- Update documentation to reflect new implementation

Benefits:
- Reduced dependencies: 155 packages removed
- Smaller bundle: ~140-190KB reduction in production bundle
- Security: 2 low-severity vulnerabilities removed
- Maintenance: No external auth package updates needed
- Full feature parity: Session management, auto-refresh, OAuth flows

Session management:
- Automatic token refresh every 2 minutes (matches Amplify)
- Tokens refreshed when expiring within 5 minutes
- Seamless session persistence using refresh tokens
- Background refresh maintains user sessions
Copilot AI review requested due to automatic review settings January 12, 2026 18:56
@DerekRoberts
docs: add feature comparison document for Amplify migration
04c8034 
Document that setup convenience and session management are both
maintained or improved in the direct Cognito OAuth implementation.
Copilot AI reviewed Jan 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the AWS Amplify dependency with a lightweight direct Cognito OAuth implementation to reduce bundle size (removing 155 packages and ~140-190 KB gzipped) and dependencies while maintaining authentication functionality including automatic token refresh.

Changes:

  • Implemented CognitoAuthService for direct OAuth integration with Cognito including authorization flow, token exchange, cookie management, and automatic token refresh
  • Updated AuthProvider to use CognitoAuthService instead of AWS Amplify APIs
  • Removed AWS Amplify dependencies from package.json and related configuration files

Reviewed changes

Copilot reviewed 12 out of 14 changed files in this pull request and generated 14 comments.

Show a summary per file
File Description
frontend/vite.config.ts Removed amplifyconfiguration.ts from test exclusions
frontend/src/types/amplify.ts Replaced Amplify JWT type import with custom JWT interface
frontend/src/services/CognitoAuthService.ts New service implementing OAuth flow, token management, and automatic refresh
frontend/src/module.d.ts Removed aws-amplify module declaration
frontend/src/index.tsx Removed Amplify configuration and CookieStorage setup
frontend/src/contexts/AuthProvider.tsx Updated to use CognitoAuthService with OAuth callback handling and token refresh interval
frontend/src/amplifyconfiguration.ts Deleted configuration file (no longer needed)
frontend/src/tests/services/CognitoAuthService.test.ts New comprehensive test suite for CognitoAuthService
frontend/src/tests/index.test.tsx Removed Amplify-related test mocks and assertions
frontend/src/tests/contexts/AuthProvider.test.tsx Updated mocks to use CognitoAuthService instead of Amplify
frontend/package.json Removed aws-amplify dependency
docs/COOKIE_SECURITY.md Updated documentation to reflect direct Cognito OAuth implementation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@DerekRoberts
fix: address critical Copilot PR feedback
e53f2ea 
- Handle optional refresh_token in token refresh response (preserve existing if not returned)
- Use refreshed token directly instead of reading from cookies (fixes race condition)
- Clean up OAuth code from URL immediately after extraction (security)
- Add JWT validation before decoding in storeTokens()
- Sanitize error messages (don't expose sensitive info in production)
- Fix cookie Secure flag formatting (remove trailing space)
- Extract baseCookieName to method (reduce magic strings)
- Fix test JWT format (use proper JWT structure)
- Fix deprecated substr() in tests
- Update documentation date

All critical security and correctness issues addressed.
@DerekRoberts DerekRoberts self-assigned this Jan 12, 2026
@DerekRoberts
perf: remove redundant loadUserToken() call in refresh interval
6c449ab 
refreshUserState() already calls loadUserToken() internally, so calling
it twice was redundant. This eliminates duplicate token retrieval and
parsing, making the code cleaner and more efficient for reuse in other
projects.

Benefits:
- Eliminates duplicate getTokens() calls
- Reduces unnecessary cookie reads
- Cleaner pattern for reuse
- Better performance
@DerekRoberts
test: add error scenario tests for CognitoAuthService
39cf9f3 
Add comprehensive error handling tests:
- Token refresh failure (non-OK response from endpoint)
- Malformed JWT tokens that can't be parsed
- Tokens without expiration claims
- Token exchange failures during handleCallback
- Network errors during token exchange

All tests passing. Improves test coverage for error paths.
@DerekRoberts DerekRoberts moved this from New to Active in DevOps (NR) Jan 13, 2026
@DerekRoberts DerekRoberts moved this from Active to Next in DevOps (NR) Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@DerekRoberts DerekRoberts

Labels

None yet

Projects

DevOps (NR)
Status: Next

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DerekRoberts