Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

User Groups Not being updated

See original GitHub issue

Describe the bug

Amplify with Cognito. If I update a user’s groups, I’m not seeing a great way to update the user’s groups. My hope is that this will/should automatically update.

To Reproduce Steps to reproduce the behavior:

Check user’s groups

  async currentUserGroups(): Promise<string[]> {
    const currentSession: CognitoUserSession = await Auth.currentSession();
    let groups: string[] = [];
    if (currentSession) {
      groups = currentSession.getIdToken().payload['cognito:groups'];
    }
    return groups;
  }

Expected behavior

When I update the user’s, I would expect Auth.currentSession() to do the right thing.

Sample code I was able to get the user session to be updated, but this work-around doesn’t seem right:

  async updateUserGroups() {
    const currentUser: CognitoUser = await Auth.currentAuthenticatedUser();
    const userSession: CognitoUserSession = currentUser.getSignInUserSession();
    const refreshToken = userSession.getRefreshToken();
    currentUser.refreshSession(refreshToken, (err, session) => {
      currentUser.setSignInUserSession(session);
    });
  }

Or at least it’s pretty painful. If this can’t happen automatically, is there a way to have a method on CognitoUser … something like updateUserGroups()?

If this is the “correct” or “best” way to handle this, then at the very least this should be heavily documented. I would be happy to help in any way that I can.

Thank you

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:26 (8 by maintainers)

Top GitHub Comments

2reactions

malcommcommented, Aug 14, 2019

@haverchuck - this seems like a pretty big security risk to me … shouldn’t this be a marked a bug and escalated?

1reaction

ericclemmonscommented, Nov 5, 2019

@malcomm I’ve learned that the downstream services are just doing signing validation of the access token, not checking permissions.

We’re having conversations on how to best resolve this on both the client & server-side, but unfortunately don’t have that answer today.

In the interim, knowing that polling/intervals can be expensive for batter life, I’d recommend the following:

Determine a threshold (e.g. 10 minutes) that you deem reasonable for refreshing tokens.
Leveraging the Page Visibility API, refresh the token when that threshold has lapsed.

Some examples of refreshing tokens have already been provided in this thread, among others:

Thanks for staying on top of this @malcomm! Hopefully the client-side token refresh is a reasonable stopgap while we can research a scalable solution for the server-side.