amplify-js: User Groups Not being updated

Describe the bug

Amplify with Cognito. If I update a user’s groups, I’m not seeing a great way to update the user’s groups. My hope is that this will/should automatically update.

To Reproduce Steps to reproduce the behavior:

  1. Check user’s groups
  async currentUserGroups(): Promise<string[]> {
    const currentSession: CognitoUserSession = await Auth.currentSession();
    let groups: string[] = [];
    if (currentSession) {
      groups = currentSession.getIdToken().payload['cognito:groups'];
    }
    return groups;
  }

Expected behavior

When I update the user’s, I would expect Auth.currentSession() to do the right thing.

Sample code I was able to get the user session to be updated, but this work-around doesn’t seem right:

  async updateUserGroups() {
    const currentUser: CognitoUser = await Auth.currentAuthenticatedUser();
    const userSession: CognitoUserSession = currentUser.getSignInUserSession();
    const refreshToken = userSession.getRefreshToken();
    currentUser.refreshSession(refreshToken, (err, session) => {
      currentUser.setSignInUserSession(session);
    });
  }

Or at least it’s pretty painful. If this can’t happen automatically, is there a way to have a method on CognitoUser … something like updateUserGroups()?

If this is the “correct” or “best” way to handle this, then at the very least this should be heavily documented. I would be happy to help in any way that I can.

Thank you

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 4
  • Comments: 26 (8 by maintainers)

Most upvoted comments

@haverchuck - this seems like a pretty big security risk to me … shouldn’t this be a marked a bug and escalated?

+2
malcomm on Aug 14, 2019

@malcomm I’ve learned that the downstream services are just doing signing validation of the access token, not checking permissions.

We’re having conversations on how to best resolve this on both the client & server-side, but unfortunately don’t have that answer today.

In the interim, knowing that polling/intervals can be expensive for batter life, I’d recommend the following:

  1. Determine a threshold (e.g. 10 minutes) that you deem reasonable for refreshing tokens.
  2. Leveraging the Page Visibility API, refresh the token when that threshold has lapsed.

Some examples of refreshing tokens have already been provided in this thread, among others:

Thanks for staying on top of this @malcomm! Hopefully the client-side token refresh is a reasonable stopgap while we can research a scalable solution for the server-side.

+1
ericclemmons on Nov 5, 2019

I need this functionality as well. I use Cognito groups to manage user permissions. (unless someone has a better idea on how to manage them).

+1
oriharel on Aug 19, 2019
Read more comments on GitHub
← amplify-js: User doesn't have permissions even though they are assigned to a group with permissions
amplify-js: User is unauthorized to query sync**** with auth mode API_KEY. No data could be returned. →