fix(auth): handle fallthrough exceptions in sign out state (#6226)

* updated signout function in the state machine to catch and return fallthrough exceptions, clearing the credential store when doing so.

* added unit test

Author: ekjotmultani

packages/auth/amplify_auth_cognito_dart/lib/src/auth_plugin_impl.dart

@@ -1074,6 +1074,7 @@ class AmplifyAuthCognitoDart extends AuthPluginInterface
         hostedUiException: result.hostedUiException,
         globalSignOutException: result.globalSignOutException,
         revokeTokenException: result.revokeTokenException,
+        invalidTokenException: result.invalidTokenException,
       ),
       SignOutFailure(:final exception) => CognitoSignOutResult.failed(
         AuthException.fromException(exception),

packages/auth/amplify_auth_cognito_dart/lib/src/model/signout/cognito_sign_out_result.dart

@@ -26,6 +26,7 @@ sealed class CognitoSignOutResult extends SignOutResult
     HostedUiException? hostedUiException,
     GlobalSignOutException? globalSignOutException,
     RevokeTokenException? revokeTokenException,
+    InvalidTokenException? invalidTokenException,
   }) = CognitoPartialSignOut._;
 
   /// Whether credentials have been cleared from the local device.
@@ -85,6 +86,7 @@ final class CognitoPartialSignOut extends CognitoSignOutResult {
     this.hostedUiException,
     this.globalSignOutException,
     this.revokeTokenException,
+    this.invalidTokenException,
   }) : super._();
 
   /// The exception that occurred during Hosted UI sign out.
@@ -96,6 +98,9 @@ final class CognitoPartialSignOut extends CognitoSignOutResult {
   /// The exception that occurred while revoking the token.
   final RevokeTokenException? revokeTokenException;
 
+  /// The exception that occurred while signing out with an invalid userpool token.
+  final InvalidTokenException? invalidTokenException;
+
   @override
   bool get signedOutLocally => true;
 
@@ -104,6 +109,7 @@ final class CognitoPartialSignOut extends CognitoSignOutResult {
     hostedUiException,
     globalSignOutException,
     revokeTokenException,
+    invalidTokenException,
     signedOutLocally,
   ];
 
@@ -112,10 +118,26 @@ final class CognitoPartialSignOut extends CognitoSignOutResult {
     'hostedUiException': hostedUiException?.toString(),
     'globalSignOutException': globalSignOutException?.toString(),
     'revokeTokenException': revokeTokenException?.toString(),
+    'invalidTokenException': invalidTokenException?.toString(),
     'signedOutLocally': signedOutLocally,
   };
 }
 
+/// {@template amplify_auth_cognito_dart.model.signout.hosted_ui_exception}
+/// Exception thrown trying to sign out with an invalid userpool token (one or more of the Id, Access, or Refresh Token).
+/// {@endtemplate}
+class InvalidTokenException extends AuthServiceException {
+  /// {@macro amplify_auth_cognito_dart.model.signout.invalid_token_exception}
+  const InvalidTokenException({super.underlyingException})
+    : super(
+        'The provided user pool token is invalid',
+        recoverySuggestion: 'See underlyingException for more details',
+      );
+
+  @override
+  String get runtimeTypeName => 'InvalidTokenException';
+}
+
 /// {@template amplify_auth_cognito_dart.model.signout.hosted_ui_exception}
 /// Exception thrown trying to sign out of Hosted UI.
 /// {@endtemplate}

packages/auth/amplify_auth_cognito_dart/lib/src/state/machines/sign_out_state_machine.dart

@@ -70,6 +70,13 @@ final class SignOutStateMachine
     // Do not clear other storage items (e.g. AWS credentials) in this case,
     // since an unauthenticated user may still be cached.
     final CognitoUserPoolTokens tokens;
+
+    // Capture results of individual steps to determine overall success.
+    HostedUiException? hostedUiException;
+    GlobalSignOutException? globalSignOutException;
+    RevokeTokenException? revokeTokenException;
+    InvalidTokenException? invalidTokenException;
+
     try {
       tokens = await manager.getUserPoolTokens();
     } on SignedOutException {
@@ -80,13 +87,20 @@ final class SignOutStateMachine
       // to clear the credentials associated with the non-existent user.
       await manager.clearCredentials();
       return emit(const SignOutState.success());
+    } on Exception catch (e) {
+      // unable to read tokens, clear the credentials to clear this invalid state.
+      invalidTokenException = InvalidTokenException(underlyingException: e);
+      await dispatchAndComplete(const CredentialStoreEvent.clearCredentials());
+      return emit(
+        SignOutState.partialFailure(
+          hostedUiException: hostedUiException,
+          globalSignOutException: globalSignOutException,
+          revokeTokenException: revokeTokenException,
+          invalidTokenException: invalidTokenException,
+        ),
+      );
     }
 
-    // Capture results of individual steps to determine overall success.
-    HostedUiException? hostedUiException;
-    GlobalSignOutException? globalSignOutException;
-    RevokeTokenException? revokeTokenException;
-
     // Sign out via Hosted UI, if configured.
     Future<void> signOutHostedUi() async {
       if (tokens.signInMethod == CognitoSignInMethod.hostedUi) {
@@ -163,6 +177,7 @@ final class SignOutStateMachine
           hostedUiException: hostedUiException,
           globalSignOutException: globalSignOutException,
           revokeTokenException: revokeTokenException,
+          invalidTokenException: invalidTokenException,
         ),
       );
     }
@@ -177,6 +192,7 @@ final class SignOutStateMachine
           hostedUiException: hostedUiException,
           globalSignOutException: globalSignOutException,
           revokeTokenException: revokeTokenException,
+          invalidTokenException: invalidTokenException,
         ),
       );
     }

packages/auth/amplify_auth_cognito_dart/lib/src/state/state/sign_out_state.dart

@@ -40,6 +40,7 @@ sealed class SignOutState extends AuthState<SignOutStateType> {
     HostedUiException? hostedUiException,
     GlobalSignOutException? globalSignOutException,
     RevokeTokenException? revokeTokenException,
+    InvalidTokenException? invalidTokenException,
   }) = SignOutPartialFailure;
 
   /// {@macro amplify_auth_cognito.sign_out_failure}
@@ -89,6 +90,7 @@ final class SignOutPartialFailure extends SignOutState {
     this.hostedUiException,
     this.globalSignOutException,
     this.revokeTokenException,
+    this.invalidTokenException,
   }) : super._();
 
   /// The exception that occurred during Hosted UI sign out.
@@ -100,6 +102,9 @@ final class SignOutPartialFailure extends SignOutState {
   /// The exception that occurred while revoking the token.
   final RevokeTokenException? revokeTokenException;
 
+  /// The exception that occurred while signing out with an invalid userpool token.
+  final InvalidTokenException? invalidTokenException;
+
   @override
   List<Object?> get props => [
     hostedUiException,

packages/auth/amplify_auth_cognito_test/test/plugin/sign_out_test.dart

@@ -10,6 +10,7 @@ import 'package:amplify_auth_cognito_dart/src/flows/hosted_ui/hosted_ui_platform
 import 'package:amplify_auth_cognito_dart/src/sdk/cognito_identity_provider.dart';
 import 'package:amplify_auth_cognito_dart/src/state/cognito_state_machine.dart';
 import 'package:amplify_auth_cognito_dart/src/state/state.dart';
+import 'package:amplify_auth_cognito_test/common/jwt.dart';
 import 'package:amplify_auth_cognito_test/common/mock_clients.dart';
 import 'package:amplify_auth_cognito_test/common/mock_config.dart';
 import 'package:amplify_auth_cognito_test/common/mock_hosted_ui.dart';
@@ -249,6 +250,57 @@ void main() {
           expect(hubEvents, emitsSignOutEvent);
         },
       );
+      test(
+        'clears credential store when signed in & token is invalid',
+        () async {
+          seedStorage(
+            secureStorage,
+            userPoolKeys: userPoolKeys,
+            identityPoolKeys: identityPoolKeys,
+          );
+          final expiredIdToken = createJwt(
+            type: TokenType.id,
+            expiration: Duration.zero,
+          );
+          // Write an expired ID token to the secure storage
+          secureStorage.write(
+            key: userPoolKeys[CognitoUserPoolKey.idToken],
+            value: expiredIdToken.raw,
+          );
+          await plugin.configure(
+            config: mockConfig,
+            authProviderRepo: testAuthRepo,
+          );
+
+          final mockIdp = MockCognitoIdentityProviderClient(
+            initiateAuth: (p0) async =>
+                throw InternalErrorException(message: 'Invalid token'),
+          );
+          stateMachine.addInstance<CognitoIdentityProviderClient>(mockIdp);
+
+          await expectLater(
+            plugin.signOut(),
+            completion(
+              isA<CognitoPartialSignOut>()
+                  .having(
+                    (res) => res.signedOutLocally,
+                    'signedOutLocally',
+                    isTrue,
+                  )
+                  .having(
+                    (res) => res.invalidTokenException,
+                    'invalidTokenException',
+                    isA<InvalidTokenException>(),
+                  ),
+            ),
+          );
+          expect(
+            plugin.stateMachine.getUserPoolTokens(),
+            throwsSignedOutException,
+          );
+          expect(hubEvents, emitsSignOutEvent);
+        },
+      );
 
       test('can sign out in user pool-only mode', () async {
         seedStorage(secureStorage, userPoolKeys: userPoolKeys);

packages/test/amplify_auth_integration_test/lib/src/test_runner.dart

@@ -305,10 +305,11 @@ Future<void> signOutUser({bool assertComplete = false}) async {
       :final hostedUiException,
       :final globalSignOutException,
       :final revokeTokenException,
+      :final invalidTokenException,
     ):
       _logger.error(
         'Error signing out:',
-        hostedUiException ?? globalSignOutException ?? revokeTokenException,
+        hostedUiException ?? globalSignOutException ?? revokeTokenException ?? invalidTokenException,
       );
     case CognitoFailedSignOut(:final exception):
       _logger.error('Error signing out:', exception);