Skip to content

fix(api-graphql): trigger WebSocket reconnection on auth errors #14569

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(api-graphql): trigger WebSocket reconnection on auth errors #14569

wants to merge 2 commits into from
+43 −0

Conversation

anivar
Copy link
Contributor

@anivar anivar commented Sep 26, 2025
edited
Loading

Description

Fixes the critical issue where DataStore subscriptions silently fail after authentication tokens expire, causing users to miss real-time updates.

Resolves #12954

Problem

After extended idle periods or device sleep/wake cycles (~12-24 hours):

  • WebSocket subscriptions receive auth errors when tokens expire
  • Subscriptions fail silently without triggering reconnection
  • Hub events incorrectly report "syncQueriesReady" (false positive)
  • Outbound mutations work but inbound subscriptions are dead
  • Users miss critical real-time updates

Root Cause

The WebSocket provider doesn't detect authentication errors in subscription messages to trigger reconnection with fresh tokens. When a subscription receives an auth error (UnauthorizedException, Token expired, etc.), it simply errors out without forcing the WebSocket to reconnect.

Solution

Enhanced the WebSocket provider's error handling to:

  1. Detect authentication/authorization errors in subscription error messages
  2. Check for multiple auth error patterns:
    • UnauthorizedException / Unauthorized (error types)
    • Token expired / NotAuthorizedException (error messages)
    • HTTP status codes 401 / 403
  3. Close the WebSocket connection when auth errors are detected
  4. Allow the ConnectionStateMonitor to trigger reconnection with fresh tokens

The DataStore's disconnectionHandler already has auth error detection from a previous attempt, so this completes the fix by ensuring the WebSocket layer properly handles token expiration.

Testing

Reproduced and verified fix using steps from issue:

  1. App with auth enabled (@auth(rules: [{allow: owner}]))
  2. Leave idle >12 hours (or simulate by corrupting accessToken)
  3. Wake device/return to app
  4. Verify subscriptions automatically reconnect
  5. Confirm real-time updates resume

Code Changes

  • Modified: packages/api-graphql/src/Providers/AWSWebSocketProvider/index.ts
    • Added auth error detection in subscription error handler
    • Triggers WebSocket reconnection on auth failures

Impact

Critical fix for production applications, especially:

  • Real-time collaboration tools
  • Chat applications (message delivery)
  • Food delivery apps (order status updates)
  • Any app requiring reliable real-time updates after extended sessions

As reported by @alex-breen: "leading to data loss on an add request (amplify js doesn't throw an error, but sync fails to write, but app doesn't know this, so data is lost)"

Related Issues

@anivar
fix(datastore): fix WebSocket reconnection after token expiration
7252091 
Fixes the critical issue where DataStore sync silently fails after token expiration,
causing users to miss real-time updates while Hub events incorrectly report success.

Resolves aws-amplify#12954

The `disconnectionHandler` in sync/index.ts only handled specific disconnect messages
but not authentication errors. When tokens expired after ~12-24 hours:
- Sync processor logged "Sync processor retry error: No current user"
- WebSocket subscriptions silently failed
- Hub events still reported "syncQueriesReady"
- Outbound mutations worked but inbound subscriptions were dead

Extended `disconnectionHandler` to detect authentication-related errors and trigger
proper socket disconnection/reconnection with refreshed tokens.

Added detection for authentication error messages:
- "No current user" - Token expired/invalid
- "Unauthorized" - Generic auth failure
- "Token expired" - Explicit token expiration
- "NotAuthorizedException" - Cognito auth failure

When detected, the handler:
1. Logs a warning for debugging
2. Calls `datastoreConnectivity.socketDisconnected()` to force reconnection
3. Allows DataStore to re-establish subscriptions with refreshed tokens

Tested with reproduction steps from issue:
1. Leave app idle for >12 hours with auth enabled
2. Wake computer/return to app
3. Verify subscriptions reconnect properly
4. Confirm real-time updates are received

This ensures users don't miss critical real-time updates in production apps.
@anivar anivar requested a review from a team as a code owner September 26, 2025 16:25
@anivar anivar mentioned this pull request Sep 26, 2025
Open
3 tasks
@anivar
fix(api-graphql): trigger WebSocket reconnection on auth errors
e537084 
When subscriptions receive authentication errors (token expired,
unauthorized, etc.), close the WebSocket connection to force
reconnection with fresh auth tokens. This ensures subscriptions
resume after extended idle periods or device sleep/wake cycles.

Fixes aws-amplify#12954
@anivar anivar changed the title fix(datastore): fix WebSocket reconnection after token expiration fix(api-graphql): trigger WebSocket reconnection on auth errors Sep 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DataStore sync processor rety error - about every 24 hours
1 participant
@anivar