Amplify-js: Token not invalidated when changing password on different browsers

Created on 10 Oct 2019  路  11Comments  路  Source: aws-amplify/amplify-js

Describe the bug
A clear and concise description of what the bug is.
JWT tokens aren't invalidated when users change password.

To Reproduce
Steps to reproduce the behavior:

1) login the same account on browser A and browser B
2) change password on browser A
3) use Auth.currentAuthenticatedUser() to check user object on browser B
4) session is still valid

Expected behavior
A clear and concise description of what you expected to happen.
Expect session to be invalidated and thus, we can show login UI to ask users to re-login.

Desktop (please complete the following information):
all

  • OS: [e.g. iOS]
  • Browser [e.g. chrome, safari]
  • Version [e.g. 22]

Smartphone (please complete the following information):
all

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]
Auth question
Source
picture Jun711

All 11 comments

you can use Auth.signOut({ global: true }) after changing the password to make sure the tokens are invalidated

madmed88 picture madmed88 on 10 Oct 2019

@madmed88
ok, I will try that.

Does doing this means when a user changes password, the user has to re-logs in?

Jun711 picture Jun711 on 10 Oct 2019

@madmed88

I tried Auth.signOut({ global: true }) but Auth.currentAuthenticatedUser() still returns authenticated user on the other browser.

Jun711 picture Jun711 on 11 Oct 2019

try Auth.currentAuthenticatedUser({ bypassCache: true })

madmed88 picture madmed88 on 11 Oct 2019

ok. will try that.

@madmed88

on the other issue, you mentioned you use Auth.signOut({ global: true }) when users change their password. How does your app opened on other browsers detect whether the token is still valid? What do you use?

Jun711 picture Jun711 on 11 Oct 2019
👍1

I did not figure that out yet, I have a similar issue open regarding that #4164

madmed88 picture madmed88 on 11 Oct 2019

As a workaround I run this code whenever a user interacts with the page:

            user.getUserData(
                err => {
                  if (err) {
                    Auth.signOut();
                  }
                },
                {
                  bypassCache: true,
                }
              )
madmed88 picture madmed88 on 11 Oct 2019
👀1

@Jun711 @madmed88 Did you maybe figure it out by now? I also need to detect this.

hckr picture hckr on 21 Nov 2019

I run the following check at the interval, but it's a nasty hack, not a solution:

setInterval(() => {
    Auth.currentAuthenticatedUser({ bypassCache: true }).catch(() => Auth.signOut());
}, LOGIN_STATE_CHECK_INTERVAL_MS)
hckr picture hckr on 25 Nov 2019

Make sure you are sending them to the signout endpoint.

https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html

shadycuz picture shadycuz on 8 Jan 2020

It looks like there might be follow-up issues. Let's continue the convo on Issue #4164. Will close this out.

mauerbac picture mauerbac on 20 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

benevolentprof picture benevolentprof  路  3Comments
romainquellec picture romainquellec  路  3Comments
rygo6 picture rygo6  路  3Comments
ddemoll picture ddemoll  路  3Comments
rayhaanq picture rayhaanq  路  3Comments