fix(auth): prevent random logouts by fixing overly aggressive token clearing #14568
+139
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…learing Fixes the critical issue where users are randomly logged out due to TokenOrchestrator clearing tokens for ANY non-network error, including transient AWS service issues. Resolves aws-amplify#14534 The `handleErrors()` method was clearing tokens for all errors except NetworkError, causing users to be logged out during: - AWS service errors (500s) - Rate limiting (TooManyRequestsException) - Temporary service unavailability - Other transient errors that should be retried Modified token clearing logic to only clear tokens for definitive authentication failures that require re-authentication. Transient errors now preserve tokens, allowing for retry without forcing users to log in again. - Removed overly broad token clearing condition - Added `isAuthenticationError()` helper to identify auth failures - Only clears tokens for errors that definitively indicate invalid/expired tokens - Preserves tokens for all transient/retryable errors - `NotAuthorizedException` - Refresh token expired/invalid - `TokenRevokedException` - Token explicitly revoked - `UserNotFoundException` - User no longer exists - `PasswordResetRequiredException` - Password reset required - `UserNotConfirmedException` - Account not confirmed - `InternalErrorException` - AWS service errors - `TooManyRequestsException` - Rate limiting - `ThrottlingException` - Request throttling - `ServiceUnavailable` - Temporary service issues - `NetworkError` - Network connectivity issues - Any other transient or unknown errors - Added comprehensive test coverage for all error scenarios - Tests verify correct token clearing behavior for each error type - All existing tests pass This fix ensures users remain logged in during temporary AWS service issues while still properly handling genuine authentication failures.
anivar
requested review from
avi-karthik,
pranavosu and
sarayev
as code owners
3 tasks
|
It's been 3 weeks... any progress on this? |
osama-rizk
reviewed
Oct 30, 2025
| 'UserNotConfirmedException', // User account is not confirmed | ||
| ]; | ||
|
|
||
| return authErrorNames.some(errorName => err.name?.startsWith(errorName)); |
There was a problem hiding this comment.
For safety can we use optional chaining with the err.name and with startsWith function here? is the suggested change return authErrorNames.some(errorName => err?.name?.startsWith?.(errorName));
There was a problem hiding this comment.
How can we speed up adding this additional optional chain?
Also, the error has already been asserted as a service error on 184, so err is defined here.
osama-rizk
previously approved these changes
Oct 31, 2025
osama-rizk
approved these changes
Oct 31, 2025
soberm
approved these changes
Oct 31, 2025
|
Hey @alexkates , |
TY Amplify team! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes critical issue where users are randomly logged out due to TokenOrchestrator clearing tokens for ANY non-network error, including transient AWS service issues.
Resolves #14534
Description
The
handleErrors()method was clearing tokens for all errors except NetworkError, causing users to be logged out during temporary AWS service issues (500s, rate limits, throttling). This PR modifies the token clearing logic to only clear tokens for definitive authentication failures.This is a minimal fix with ~15 lines of actual code changes that solves a critical production issue affecting many users.
Implementation Details
TokenOrchestrator Changes
isAuthenticationError()helper method to identify definitive auth failuresErrors that clear tokens (auth failures):
NotAuthorizedException- Refresh token expired/invalidTokenRevokedException- Token explicitly revokedUserNotFoundException- User doesn't existPasswordResetRequiredException- Password reset requiredUserNotConfirmedException- Account not confirmedErrors that preserve tokens (transient):
InternalErrorException- AWS service errors (500s)TooManyRequestsException- Rate limitingThrottlingException- Request throttlingServiceUnavailable- Temporary outagesNetworkError- Network issuesTesting
Related Issues
Based on issue analysis:
tokenRefresh_failureevents followed by silent token clearing. Network errors were causing token clearing instead of graceful retry.Impact
Users will no longer be randomly logged out during AWS service issues. This is a critical fix that maintains backward compatibility while solving a major production issue affecting many users.
As discussed in the issue comments with @ahmedhamouda78 and @soberm, this approach only clears tokens for known authentication failures rather than all non-network errors.