Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

deleteUser method causes cookie problems and prevents accessing Hosted UI

See original GitHub issue

I have a weird problem. I am trying to allow a user to delete his profile:

<button onClick={() => {
  Auth.currentAuthenticatedUser().then(user => {
    user.deleteUser((err, result) => {
      if (err) {
        console.log('User deletion error: ' + err)
        return
      }
      console.log('User deletion result: ' + result)
    })
  }).catch(e => {
    console.log(e)
  })
}}>Delete Account</button>

However, the deleteUser method does not finish up the job of signing out the user. It sort of does sign him out, i.e. when I reload the page, the currentAuthenticatedUser method does not find a user object anymore. However, the deleterUser method’s signout is not caught by my Hub listening to the signOut event and it will later cause some weird glitch with cookies (both different from the Auth.signOut method). So the cookie glitch is that when the user tries to create a new account by calling Auth.federatedSignIn, he will receive some cookies from the Hosted UI domain and then the browser throws an invalid_token error. This will repeat on retrying and causes you to be stuck and being unable to access the Hosted UI. What helps though is to manually delete those cookies after the first failed signin attempt.

Calling signOut in that state also does not end that state (which is weird because it should delete all cookies I guess? but it fails because there is user signed in anymore). So, adding a signOut like this in the deleteUser button will not help because it is “already too late”:

<button onClick={() => {
  Auth.currentAuthenticatedUser().then(user => {
    user.deleteUser((err, result) => {
      if (err) {
        console.log('User deletion error: ' + err)
        return
      }
      console.log('User deletion result: ' + result)
      Auth.signOut()
    })
  }).catch(e => {
    console.log(e)
  })
}}>Delete Account</button>

The other way round (first signing out the user and then calling user.deleteUser) does not work either because the deleteUser method depends on the user object which has already been removed in the signOut.

The “best solution” is a hack where I simultaneously call both methods:

<button onClick={() => {
  Auth.currentAuthenticatedUser().then(user => {
    Auth.signOut()
    user.deleteUser((err, result) => {
      if (err) {
        console.log('User deletion error: ' + err)
        return
      }
      console.log('User deletion result: ' + result)
    })
  }).catch(e => {
    console.log(e)
  })
}}>Delete Account</button>

This signs out the user properly (like when normally calling it without deleting the user) and prevents the signin cookie problem. And it also deletes the user from the user pool (though not logging the result anymore). It is obviously a hacky way to do that and just works “by accident” considering that the two functions work on the same user object at the same time. But it proves that the deleteUser function is bugged in the Amplify context…

Any suggestions how to solve this? (I tried to delete those cookies manually from JS, but couldn’t get it to work.) Otherwise, I guess it shows that we need a “native” Amplify method for that as asked for in this issue: https://github.com/aws-amplify/amplify-js/issues/469

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

5reactions
tinymarsracingcommented, Apr 30, 2019

Hi Manuel, thanks for your reply. Your hint that you have to “sign out from the Hosted UI” gave me an aha moment. Now the behaviour and the cookie domain of these “glitched” cookies all makes sense. 😉 I found this other comment and used that workaround and now it works. Thanks!

But I’m guessing a cleaner solution would be something like that (as I already tried to implement):

<button onClick={() => {
  Auth.currentAuthenticatedUser().then(user => {
    Auth.signOut().then(() => {
      user.deleteUser((err, result) => {
        if (err) {
          console.log('User deletion error: ' + err)
          return
        }
        console.log('User deletion result: ' + result)
      })
    })
  })
}}>Delete Account</button>

But as I said this won’t work because the user object will have been deleted by Auth.signOut (and also deleteUser relies on some other objects that will have been deleted as well). Is there a way to make this code work?

1reaction
manueliglesiascommented, Apr 30, 2019

@tinymarsracing I am glad you got the cookies thing working!

Regarding the deletion… Can you try something like this? (please note that this uses unsupported private functions, so it is just to explore possible solutions)

<button onClick={async () => {
    const user = await Auth.currentAuthenticatedUser();

    await new Promise((res, rej) => user.deleteUser((err, result) => err ? rej(err) : res(result)));

    Auth._oAuthHandler.signOut();
}}>Delete Account</button>

does that make sense?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Actions defined by Amazon Cognito User Pools
Actions Description Access level Res... AdminAddUserToGroup Grants permission to add any user to any group Write user... AdminDeleteUser Grants permission to delete any user Write...
Read more >
Manage Session Cookies | Firebase Authentication
Stateless session cookies that come with all the benefit of using JWTs for authentication. The session cookie has the same claims (including custom...
Read more >
Correct way to delete cookies server-side - Stack Overflow
Using an Expires attribute in the past to delete a cookie is correct and is the way to remove cookies dictated by the...
Read more >
CognitoIdentityProvider — Boto3 Docs 1.26.36 documentation
Using the Amazon Cognito user pools API, you can create a user pool to manage ... A user can still use a hosted...
Read more >
Access control vulnerabilities and privilege escalation
In this section, we will discuss what access control security is, ... can arise with access control, and summarize how to prevent these...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Update GraphQL to 14

Next page

RN 0.59 and Cognito federated identity OAuth flow failure