Amplify-js: Auth.currentSession () don'ts work in SSR, when token expires

Created on 3 Nov 2020  路  7Comments  路  Source: aws-amplify/amplify-js

Describe the bug
I use nextjs with amlify {ssr: true}.
I extract token from req in getServerSideProps in this way:

```
async function getServerSideProps (context) {
const { Auth }= withSSRContext(context);
const session = await Auth.currentSession();
...
}
````

To Reproduce
It works if user logged in recently. But if user closes the tab and opens it a few hours, this line will throw an error:
const session = await Auth.currentSession()

The reason is clear: it happened because user's tokens are not valid anymore. BUT int he documentation https://docs.amplify.aws/lib/auth/overview/q/platform/js#sign-up-and-sign-in I found that:

The Amplify client will refresh the tokens calling Auth.currentSession if they are no longer valid.

Seems that it doesn't work on server side. It just throws an error without possibility to refresh tokens.

Auth SSR Security feature-request
Source
picture m4rcosazevedo

Most helpful comment

Unfortunately, that's expected behavior based on today's implementation: the client handles the refreshing and the server is basically "read-only":

https://github.com/aws-amplify/amplify-js/blob/8b3183f4d2ec7289044e2b6700e3ff4df3f98ce4/packages/core/src/UniversalStorage/index.ts#L87-L88

I agree, the server & client should work the same way. For some background, not saving the refresh token was done to get SSR working sooner, then get an httpOnly cookie solution working next.

I'm going to mark this as a feature request with the following action items for visibility, which of course will need to have its security posture reviewed:

  1. Include refreshToken in UniversalStorage.

    1. Can this be shipped as-is, even without httpOnly cookies?

  2. Update withSSRContext to include { res }, converting cookies to httpOnly.

picture ericclemmons on 5 Nov 2020
👍5

All 7 comments

I'm running into this issue as well. It seems like the refresh token is not stored in the cookies so there is no way for Amplify to request new access and id tokens.

sdsanders picture sdsanders on 4 Nov 2020

I also appear to be experiencing this issue

alan-cooney picture alan-cooney on 4 Nov 2020

Unfortunately, that's expected behavior based on today's implementation: the client handles the refreshing and the server is basically "read-only":

https://github.com/aws-amplify/amplify-js/blob/8b3183f4d2ec7289044e2b6700e3ff4df3f98ce4/packages/core/src/UniversalStorage/index.ts#L87-L88

I agree, the server & client should work the same way. For some background, not saving the refresh token was done to get SSR working sooner, then get an httpOnly cookie solution working next.

I'm going to mark this as a feature request with the following action items for visibility, which of course will need to have its security posture reviewed:

  1. Include refreshToken in UniversalStorage.

    1. Can this be shipped as-is, even without httpOnly cookies?

  2. Update withSSRContext to include { res }, converting cookies to httpOnly.

ericclemmons picture ericclemmons on 5 Nov 2020
👍5

I'm having the same issue. I'm trying to use apollo-client for the SSR, and for that I need the jwtToken. I've tried this:

export const getServerSideProps: GetServerSideProps = async (context) => {
  const { Auth } = withSSRContext(context)
  const session = await Auth.currentSession()
  const token = session.idToken.jwtToken
  console.log('Apollo client token: ', token)
  return {}
}

But I'm getting an Uncaugth error with No current user in the console. Any ideas on how I can get the token on the server?

hugomn picture hugomn on 10 Nov 2020

@ericclemmons any updates?

usualdesigner picture usualdesigner on 26 Nov 2020

馃憤

ammanvedi picture ammanvedi on 6 Dec 2020

@hugomn I was able to validate that Auth.currentSession() works on the server when logged in on the client-side:

import { Amplify, withSSRContext } from 'aws-amplify'
import { NextApiRequest, NextApiResponse } from 'next'

import awsconfig from '../../src/aws-exports'

Amplify.configure({ ...awsconfig, ssr: true })

export default async function fetchProfile(
  req: NextApiRequest,
  res: NextApiResponse
) {
  const SSR = withSSRContext({ req })

  try {
    console.log((await SSR.Auth.currentSession()).idToken.jwtToken)
    // Confirmed: jwtToken in console
    const user = await SSR.Auth.currentAuthenticatedUser()

    return res.status(200).json({ user })
  } catch (error) {
    console.error(error)
    return res.status(500).json({ error })
  }
}

Leaving this feature request open, since this is this issue is about SSR behavior when the token expires...

ericclemmons picture ericclemmons on 7 Dec 2020
👀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

epicfaace picture epicfaace  路  3Comments
shinnapatthesix picture shinnapatthesix  路  3Comments
DougWoodCDS picture DougWoodCDS  路  3Comments
josoroma picture josoroma  路  3Comments
oste picture oste  路  3Comments