Token handling, validation, and automatic refresh capabilities for maintaining authenticated sessions.
Manages user authentication sessions containing JWT tokens.
/**
* Represents a user session containing authentication tokens
* @param data - Session data with tokens
*/
class CognitoUserSession {
constructor(data: ICognitoUserSessionData);
/** Returns the ID token */
getIdToken(): CognitoIdToken;
/** Returns the access token */
getAccessToken(): CognitoAccessToken;
/** Returns the refresh token */
getRefreshToken(): CognitoRefreshToken;
/** Checks if the session is valid (tokens not expired) */
isValid(): boolean;
}
interface ICognitoUserSessionData {
/** JWT ID token */
IdToken: CognitoIdToken;
/** JWT access token */
AccessToken: CognitoAccessToken;
/** JWT refresh token (optional) */
RefreshToken?: CognitoRefreshToken;
}Individual JWT token classes with decoding and validation capabilities.
/**
* Represents a Cognito access token
*/
class CognitoAccessToken {
payload: { [key: string]: any };
constructor(params: { AccessToken: string });
/** Returns the raw JWT token string */
getJwtToken(): string;
/** Returns token expiration timestamp */
getExpiration(): number;
/** Returns token issued at timestamp */
getIssuedAt(): number;
/** Decodes and returns the token payload */
decodePayload(): { [key: string]: any };
}
/**
* Represents a Cognito ID token
*/
class CognitoIdToken {
payload: { [key: string]: any };
constructor(params: { IdToken: string });
/** Returns the raw JWT token string */
getJwtToken(): string;
/** Returns token expiration timestamp */
getExpiration(): number;
/** Returns token issued at timestamp */
getIssuedAt(): number;
/** Decodes and returns the token payload */
decodePayload(): { [key: string]: any };
}
/**
* Represents a Cognito refresh token
*/
class CognitoRefreshToken {
constructor(params: { RefreshToken: string });
/** Returns the refresh token string */
getToken(): string;
}Usage Examples:
import { CognitoUserSession, CognitoIdToken, CognitoAccessToken, CognitoRefreshToken } from "amazon-cognito-identity-js";
// Working with session after authentication
cognitoUser.authenticateUser(authDetails, {
onSuccess: (session) => {
// Check session validity
if (session.isValid()) {
console.log("Session is valid");
// Get tokens
const idToken = session.getIdToken();
const accessToken = session.getAccessToken();
const refreshToken = session.getRefreshToken();
// Use tokens
console.log("ID Token:", idToken.getJwtToken());
console.log("Access Token:", accessToken.getJwtToken());
// Decode token payloads
const idPayload = idToken.decodePayload();
const accessPayload = accessToken.decodePayload();
console.log("User sub:", idPayload.sub);
console.log("User email:", idPayload.email);
console.log("Token expiration:", new Date(accessToken.getExpiration() * 1000));
}
}
});
// Manual session creation (rare case)
const session = new CognitoUserSession({
IdToken: new CognitoIdToken({ IdToken: "eyJ..." }),
AccessToken: new CognitoAccessToken({ AccessToken: "eyJ..." }),
RefreshToken: new CognitoRefreshToken({ RefreshToken: "eyJ..." })
});Automatic and manual session refresh capabilities.
/**
* Refreshes the user session using refresh token
* @param refreshToken - Valid refresh token
* @param callback - Callback with refreshed session result
* @param clientMetadata - Optional client metadata for Lambda triggers
*/
refreshSession(
refreshToken: CognitoRefreshToken,
callback: NodeCallback<any, any>,
clientMetadata?: ClientMetadata
): void;Usage Example:
// Refresh session when access token expires
const refreshToken = session.getRefreshToken();
cognitoUser.refreshSession(refreshToken, (err, session) => {
if (err) {
console.error("Session refresh failed:", err);
// Redirect to login
return;
}
console.log("Session refreshed successfully");
// Update stored session
cognitoUser.setSignInUserSession(session);
});Understanding what information is contained in each token type.
ID Token Payload (typical fields):
sub - User's unique identifieremail_verified - Whether email is verifiediss - Token issuer (Cognito)cognito:username - Usernameaud - Audience (client ID)event_id - Event identifiertoken_use - "id"auth_time - Authentication timestampexp - Expiration timestampiat - Issued at timestampAccess Token Payload (typical fields):
sub - User's unique identifieriss - Token issuerclient_id - Client identifiertoken_use - "access"scope - Token scopeauth_time - Authentication timestampexp - Expiration timestampiat - Issued at timestampusername - UsernameUsage Example:
// Extract user information from tokens
const idToken = session.getIdToken();
const accessToken = session.getAccessToken();
const idPayload = idToken.decodePayload();
const accessPayload = accessToken.decodePayload();
// User information
const userId = idPayload.sub;
const username = idPayload["cognito:username"];
const email = idPayload.email;
const emailVerified = idPayload.email_verified;
// Token information
const tokenExpiration = accessToken.getExpiration();
const isExpired = Date.now() >= tokenExpiration * 1000;
console.log(`User: ${username} (${email})`);
console.log(`Email verified: ${emailVerified}`);
console.log(`Token expires: ${new Date(tokenExpiration * 1000)}`);
console.log(`Token expired: ${isExpired}`);Session persistence and retrieval from storage.
/**
* Gets session from storage or refreshes if needed
* @param callback - Callback with session result
* @param options - Optional session options
*/
getSession(
callback:
| ((error: Error, session: null) => void)
| ((error: null, session: CognitoUserSession) => void),
options?: GetSessionOptions
): void;
interface GetSessionOptions {
clientMetadata: Record<string, string>;
}Usage Example:
// Check for existing session
cognitoUser.getSession((err, session) => {
if (err) {
console.error("Session error:", err);
// Redirect to login
return;
}
if (session) {
console.log("Found valid session");
// User is authenticated
proceedWithAuthenticatedUser(session);
} else {
console.log("No valid session found");
// Show login form
showLoginForm();
}
});Automatic Validation:
session.isValid() checks if tokens are not expiredgetSession() automatically refreshes expired tokens when possibleManual Validation:
function validateSession(session: CognitoUserSession): boolean {
if (!session) return false;
// Check overall session validity
if (!session.isValid()) return false;
// Check individual token expiration
const accessToken = session.getAccessToken();
const idToken = session.getIdToken();
const now = Date.now() / 1000;
if (accessToken.getExpiration() <= now) return false;
if (idToken.getExpiration() <= now) return false;
return true;
}Error Handling:
cognitoUser.getSession((err, session) => {
if (err) {
switch (err.code) {
case 'NotAuthorizedException':
console.log("User not authorized, refresh token invalid");
// Clear local session and redirect to login
break;
case 'NetworkError':
console.log("Network error during session refresh");
// Retry or show offline message
break;
default:
console.error("Session error:", err);
}
return;
}
// Session is valid
useValidSession(session);
});