Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Auth.currentSession () don'ts work in SSR, when token expires

See original GitHub issue

Describe the bug I use nextjs with amlify {ssr: true}. I extract token from req in getServerSideProps in this way:

async function getServerSideProps (context) {
  const { Auth }= withSSRContext(context);
  const session = await Auth.currentSession();
  ...
}

To Reproduce It works if user logged in recently. But if user closes the tab and opens it a few hours, this line will throw an error: const session = await Auth.currentSession()

The reason is clear: it happened because user’s tokens are not valid anymore. BUT int he documentation https://docs.amplify.aws/lib/auth/overview/q/platform/js#sign-up-and-sign-in I found that:

The Amplify client will refresh the tokens calling Auth.currentSession if they are no longer valid.

Seems that it doesn’t work on server side. It just throws an error without possibility to refresh tokens.

Issue Analytics

State:
Created 3 years ago
Reactions:5
Comments:13 (3 by maintainers)

Top GitHub Comments

7reactions

ericclemmonscommented, Nov 5, 2020

Unfortunately, that’s expected behavior based on today’s implementation: the client handles the refreshing and the server is basically “read-only”:

https://github.com/aws-amplify/amplify-js/blob/8b3183f4d2ec7289044e2b6700e3ff4df3f98ce4/packages/core/src/UniversalStorage/index.ts#L87-L88

I agree, the server & client should work the same way. For some background, not saving the refresh token was done to get SSR working sooner, then get an httpOnly cookie solution working next.

I’m going to mark this as a feature request with the following action items for visibility, which of course will need to have its security posture reviewed:

Include refreshToken in UniversalStorage.
1. Can this be shipped as-is, even without httpOnly cookies?
Update withSSRContext to include { res }, converting cookies to httpOnly.

6reactions

liamlevesqueP8commented, Mar 31, 2021

So is there a way to work around this currently if trying to handle protected routes on the server (or do anything requiring auth on the servers)? Or do I have to revert to a client side implementation? Because currently sessions are roughly 10 mins long it seems and that’s a deal breaker…

Top Results From Across the Web

aws-amplify Auth.currentSession() not giving refreshed token ...

currentSession() keeps giving me the jwtToken that was received when logged_in. After an hour, the token was expired and Auth.currentSession() ...

Session not refreshing tokens | AWS re:Post

I say bogus, because CORS is enabled (and it works fine after initial sign-in), but it appears the ID token is expired so...

AWS-Amplify/Lobby - Gitter

I'm using Amplify Auth with AWS Cognito in an Ionic/Angular App - should JWTs ... currentSession() should also automatically refresh the expired id...

Getting started with session token authentication - Shopify.dev

If you want to set up session token authentication for a multi-page server-side rendered (SSR) app, then you need to instead set your...

Client API - NextAuth.js

expires : Date // This is the expiry of the session, not any of the tokens ... The useSession() React Hook in the...