fix(auth)!: Fetch Auth Session offline behavior (#2585)

* feat(auth): update fetch auth session behavior

* fix(auth): remove getAWSCredentials arg from native plugin

* chore: update federateToIdentityPool test

* chore: CognitoAuthSessionResult doc comments

* chore: add/update tests for fetchAuthSession

* chore: add tests for unauth access, fix failing tests

* chore: update fetchAuthSession integ tests

* fix(authenticator)!: Update authenticator offline behavior

* chore: add comment to CognitoAuthSession

* chore: update failing android test

* chore: expose results from CognitoAuthSession, throw AuthExceptions

* chore: make tests more realistic

* chore: make AWSResult AWSDebuggable

* chore: early exit for no identity pool

* chore: update CognitoAuthSession.toJson

* chore: add doc comment to AWSResultType

* chore: update fetchAuthSession stub

* chore: undo sample app changes

* chore: simplify AuthProvider

* chore: revert changes to SignedOutException

* chore: add valueOrNull to AWSResult

* chore: add back members to CognitoAuthSession, update toJson

* chore: add getAWSCredentials back as deprecated

* chore: remove empty CognitoSessionOptions

* chore: refactor exception handling

* chore: force unwrap awsCredentials & identityId

* chore: update authenticator to catch Exception not object

* chore: add stacktrace to AWSResult

* fix: amplify_test

Author: Jordan-Nelson

packages/amplify_core/lib/amplify_core.dart

@@ -81,6 +81,7 @@ export 'src/types/exception/codegen_exception.dart';
 export 'src/types/exception/error/amplify_error.dart';
 export 'src/types/exception/error/configuration_error.dart';
 export 'src/types/exception/error/plugin_error.dart';
+export 'src/types/exception/network_exception.dart';
 export 'src/types/exception/url_launcher_exception.dart';
 
 /// Model-based types used in datastore and API

packages/amplify_core/lib/src/types/exception/auth/auth_exception.dart

@@ -28,6 +28,13 @@ abstract class AuthException extends AmplifyException with AWSDebuggable {
         underlyingException: e.underlyingException,
       );
     }
+    if (e is AWSHttpException) {
+      return NetworkException(
+        'The request failed due to a network error.',
+        recoverySuggestion: 'Ensure that you have an active network connection',
+        underlyingException: e,
+      );
+    }
     String message;
     try {
       message = (e as dynamic).message as String;

packages/amplify_core/lib/src/types/exception/network_exception.dart

@@ -0,0 +1,18 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import 'package:amplify_core/amplify_core.dart';
+
+/// {@template amplify_core.network_exception}
+/// Exception thrown when the requested operation fails due to a network
+/// failure.
+/// {@endtemplate}
+class NetworkException extends AmplifyException
+    implements AuthException, StorageException {
+  /// {@macro amplify_core.network_exception}
+  const NetworkException(
+    super.message, {
+    super.recoverySuggestion,
+    super.underlyingException,
+  });
+}

packages/amplify_test/lib/src/stubs/amplify_auth_cognito_stub.dart

@@ -1,9 +1,13 @@
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0
 
+// ignore_for_file: depend_on_referenced_packages, implementation_imports, invalid_use_of_internal_member
+
 import 'dart:core';
 
 import 'package:amplify_auth_cognito/amplify_auth_cognito.dart';
+import 'package:amplify_auth_cognito_dart/src/jwt/jwt.dart';
+import 'package:amplify_auth_cognito_dart/src/model/auth_result.dart';
 import 'package:amplify_core/amplify_core.dart';
 
 const usernameExistsException = UsernameExistsException(
@@ -206,7 +210,36 @@ class AmplifyAuthCognitoStub extends AuthPluginInterface
   Future<AuthSession> fetchAuthSession({
     AuthSessionOptions? options,
   }) async {
-    return CognitoAuthSession(isSignedIn: _isSignedIn());
+    if (_currentUser == null) {
+      return const CognitoAuthSession(
+        isSignedIn: false,
+        userPoolTokensResult: AuthResult.error(
+          SignedOutException('There is no user signed in.'),
+        ),
+        userSubResult: AuthResult.error(
+          SignedOutException('There is no user signed in.'),
+        ),
+        credentialsResult: AuthResult.error(
+          UnknownException('credentials not available in mocks'),
+        ),
+        identityIdResult: AuthResult.error(
+          UnknownException('identityId not available in mocks'),
+        ),
+      );
+    }
+    final userPoolTokens = _currentUser!.userPoolTokens;
+    final userSub = _currentUser!.sub;
+    return CognitoAuthSession(
+      isSignedIn: true,
+      userPoolTokensResult: AuthResult.success(userPoolTokens),
+      userSubResult: AuthResult.success(userSub),
+      credentialsResult: const AuthResult.error(
+        UnknownException('credentials not available in mocks'),
+      ),
+      identityIdResult: const AuthResult.error(
+        UnknownException('identityId not available in mocks'),
+      ),
+    );
   }
 
   @override
@@ -380,6 +413,36 @@ class MockCognitoUser {
     required this.email,
   });
 
+  CognitoUserPoolTokens get userPoolTokens {
+    final accessToken = JsonWebToken(
+      header: const JsonWebHeader(algorithm: Algorithm.hmacSha256),
+      claims: JsonWebClaims(
+        subject: sub,
+        expiration: DateTime.now().add(const Duration(minutes: 60)),
+        customClaims: {
+          'username': username,
+        },
+      ),
+      signature: const [],
+    );
+    const refreshToken = 'refreshToken';
+    final idToken = JsonWebToken(
+      header: const JsonWebHeader(algorithm: Algorithm.hmacSha256),
+      claims: JsonWebClaims(
+        subject: sub,
+        customClaims: {
+          'cognito:username': username,
+        },
+      ),
+      signature: const [],
+    );
+    return CognitoUserPoolTokens(
+      accessToken: accessToken,
+      refreshToken: refreshToken,
+      idToken: idToken,
+    );
+  }
+
   MockCognitoUser copyWith({
     String? sub,
     String? username,

packages/api/amplify_api/example/integration_test/graphql/iam_test.dart

@@ -212,13 +212,8 @@ void main({bool useExistingTestUser = false}) {
         // would do if that was the auth mode.
         final authSession =
             await Amplify.Auth.fetchAuthSession() as CognitoAuthSession;
-        final accessToken = authSession.userPoolTokens?.accessToken.raw;
-        if (accessToken == null) {
-          throw const AuthNotAuthorizedException(
-            'Could not get access token from cognito.',
-            recoverySuggestion: 'Ensure test user signed in.',
-          );
-        }
+        final accessToken =
+            authSession.userPoolTokensResult.value.accessToken.raw;
         final headers = {AWSHeaders.authorization: accessToken};
         final reqThatShouldWork = GraphQLRequest<Blog>(
           document: reqThatFails.document,

packages/auth/amplify_auth_cognito/example/integration_test/custom_authorizer_test.dart

@@ -54,7 +54,7 @@ void main() {
 
           final session =
               await Amplify.Auth.fetchAuthSession() as CognitoAuthSession;
-          expect(session.userPoolTokens, isNotNull);
+          expect(session.userPoolTokensResult.value, isNotNull);
 
           final apiUrl = config.api!.awsPlugin!.values
               .singleWhere((e) => e.endpointType == EndpointType.rest)
@@ -79,7 +79,8 @@ void main() {
             ),
             headers: {
               AWSHeaders.accept: 'application/json;charset=utf-8',
-              AWSHeaders.authorization: session.userPoolTokens!.idToken.raw,
+              AWSHeaders.authorization:
+                  session.userPoolTokensResult.value.idToken.raw,
             },
             body: utf8.encode(payload),
           );
@@ -115,10 +116,8 @@ void main() {
               final cognitoPlugin = Amplify.Auth.getPlugin(
                 AmplifyAuthCognito.pluginKey,
               );
-              final session = await cognitoPlugin.fetchAuthSession(
-                options: const CognitoSessionOptions(getAWSCredentials: true),
-              );
-              expect(session.credentials, isNotNull);
+              final session = await cognitoPlugin.fetchAuthSession();
+              expect(session.credentialsResult.value, isNotNull);
 
               final restApi = config.api!.awsPlugin!.values
                   .singleWhere((e) => e.endpointType == EndpointType.rest);
@@ -170,10 +169,8 @@ void main() {
               final cognitoPlugin = Amplify.Auth.getPlugin(
                 AmplifyAuthCognito.pluginKey,
               );
-              final session = await cognitoPlugin.fetchAuthSession(
-                options: const CognitoSessionOptions(getAWSCredentials: true),
-              );
-              expect(session.credentials, isNotNull);
+              final session = await cognitoPlugin.fetchAuthSession();
+              expect(session.credentialsResult.value, isNotNull);
 
               final restApi = config.api!.awsPlugin!.values
                   .singleWhere((e) => e.endpointType == EndpointType.rest);
@@ -226,10 +223,8 @@ void main() {
               final cognitoPlugin = Amplify.Auth.getPlugin(
                 AmplifyAuthCognito.pluginKey,
               );
-              final session = await cognitoPlugin.fetchAuthSession(
-                options: const CognitoSessionOptions(getAWSCredentials: true),
-              );
-              expect(session.credentials, isNotNull);
+              final session = await cognitoPlugin.fetchAuthSession();
+              expect(session.credentialsResult.value, isNotNull);
 
               final restOperation = Amplify.API.post(
                 '/',

packages/auth/amplify_auth_cognito/example/integration_test/federated_sign_in_test.dart

@@ -62,7 +62,7 @@ void main() {
       expect(signInResult.nextStep.signInStep, 'DONE');
 
       final userPoolTokens =
-          (await cognitoPlugin.fetchAuthSession()).userPoolTokens!;
+          (await cognitoPlugin.fetchAuthSession()).userPoolTokensResult.value;
       // Clear but do not sign out so that tokens are still valid.
       // ignore: invalid_use_of_protected_member
       await cognitoPlugin.plugin.stateMachine.dispatch(
@@ -105,29 +105,25 @@ void main() {
 
     asyncTest('replaces unauthenticated identity', (_) async {
       // Get unauthenticated identity
-      final unauthSession = await cognitoPlugin.fetchAuthSession(
-        options: const CognitoSessionOptions(getAWSCredentials: true),
-      );
+      final unauthSession = await cognitoPlugin.fetchAuthSession();
 
       final authSession = await federateToIdentityPool();
       expect(
         authSession.identityId,
-        unauthSession.identityId,
+        unauthSession.identityIdResult.value,
         reason: 'Should retain unauthenticated identity',
       );
       expect(
         authSession.credentials,
-        isNot(unauthSession.credentials),
+        isNot(unauthSession.credentialsResult.value),
         reason: 'Should get new credentials',
       );
     });
 
     asyncTest('can specify identity ID', (_) async {
       // Get unauthenticated identity (doesn't matter, just need identity ID)
-      final unauthSession = await cognitoPlugin.fetchAuthSession(
-        options: const CognitoSessionOptions(getAWSCredentials: true),
-      );
-      final identityId = unauthSession.identityId!;
+      final unauthSession = await cognitoPlugin.fetchAuthSession();
+      final identityId = unauthSession.identityIdResult.value;
 
       final signInResult = await cognitoPlugin.signIn(
         username: username,
@@ -136,7 +132,7 @@ void main() {
       expect(signInResult.nextStep.signInStep, 'DONE');
 
       final userPoolTokens =
-          (await cognitoPlugin.fetchAuthSession()).userPoolTokens!;
+          (await cognitoPlugin.fetchAuthSession()).userPoolTokensResult.value;
       // Clear but do not sign out so that tokens are still valid.
       // ignore: invalid_use_of_protected_member
       await cognitoPlugin.plugin.stateMachine.dispatch(
@@ -176,23 +172,23 @@ void main() {
     });
 
     asyncTest('can clear federation', (_) async {
-      await federateToIdentityPool();
+      final federateToIdentityPoolResult = await federateToIdentityPool();
 
       await expectLater(
         cognitoPlugin.clearFederationToIdentityPool(),
         completes,
       );
 
-      final clearedSession = await cognitoPlugin.fetchAuthSession();
+      final unauthSession = await cognitoPlugin.fetchAuthSession();
       expect(
-        clearedSession.identityId,
-        isNull,
-        reason: 'Should clear session',
+        unauthSession.identityIdResult.value,
+        isNot(federateToIdentityPoolResult.identityId),
+        reason: 'Should clear session and refetch',
       );
       expect(
-        clearedSession.credentials,
-        isNull,
-        reason: 'Should clear session',
+        unauthSession.credentialsResult.value,
+        isNot(federateToIdentityPoolResult.credentials),
+        reason: 'Should clear session and refetch',
       );
     });