Skip to content

chore(auth): Add typesafe classes for handling auth tokens #3123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore(auth): Add typesafe classes for handling auth tokens #3123

wants to merge 3 commits into from
+325 −317

Conversation

mattcreaser
Copy link
Member

  • PR title and description conform to Pull Request guidelines.

Issue #, if available:

Description of changes:
Updates internal handling of auth tokens to wrap them in typesafe classes instead of bare strings. This makes the codebase easier to understand, drastically cuts down on the number of times the JWT strings are parsed, and makes it less likely that token content is accidentally leaked (because the masking is applied at the wrapper class level).

How did you test these changes?

Documentation update required?

  • No
  • Yes (Please include a PR link for the documentation update)

General Checklist

  • Added Unit Tests
  • Added Integration Tests
  • Security oriented best practices and standards are followed (e.g. using input sanitization, principle of least privilege, etc)
  • Ensure commit message has the appropriate scope (e.g fix(storage): message, feat(auth): message, chore(all): message)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@mattcreaser mattcreaser requested a review from a team as a code owner September 4, 2025 16:47
@mattcreaser mattcreaser force-pushed the mattcreaser/auth-tokens branch from 8f4a00f to b94e0e2 Compare September 11, 2025 19:06
@codecov Codecov
Copy link

codecov bot commented Sep 11, 2025

Codecov Report

❌ Patch coverage is 55.84416% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.29%. Comparing base (7b9ee9b) to head (b94e0e2).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3123      +/-   ##
==========================================
+ Coverage   54.27%   54.29%   +0.02%     
==========================================
  Files        1040     1040              
  Lines       32071    32077       +6     
  Branches     4712     4721       +9     
==========================================
+ Hits        17406    17417      +11     
+ Misses      12824    12815       -9     
- Partials     1841     1845       +4
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mattcreaser mattcreaser enabled auto-merge (squash) September 15, 2025 15:51
tylerjroach
tylerjroach previously approved these changes Sep 16, 2025
View reviewed changes
Copy link
Member

@tylerjroach tylerjroach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice simplification!

...th-cognito/src/main/java/com/amplifyframework/statemachine/codegen/data/AmplifyCredential.kt
"accessKeyId = ${accessKeyId?.substring(0..4)}***, " +
"secretAccessKey = ${secretAccessKey?.substring(0..4)}***, " +
"sessionToken = ${sessionToken?.substring(0..4)}***, " +
"accessKeyId = ${accessKeyId.mask()}, " +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This really probably doesn't matter since its a masked value but this method includes 1 less character.

Copy link
Member Author

@mattcreaser mattcreaser Sep 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noted, but agree that doesn't matter. We can make it 4 or 5 but it should be consistent.

...th-cognito/src/main/java/com/amplifyframework/statemachine/codegen/data/AmplifyCredential.kt Outdated
@@ -95,16 +96,22 @@ internal data class FederatedToken(val token: String, val providerName: String)
*/
@Serializable
internal data class CognitoUserPoolTokens(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does the toString look like now? I think the tokens are still tracked properly after traversing through the code, but notice expiration is now included (probably for the best).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had not noticed that expiration was excluded before, but that seems like an error. The updated toString looks like this:

CognitoUserPoolTokens(idToken=eyJh***, accessToken=eyJh***, refreshToken=eyJh***, expiration=1758044817)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tylerjroach tylerjroach tylerjroach left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mattcreaser @tylerjroach