@@ -105,6 +105,7 @@ public class AuthenticatorState: ObservableObject, AuthenticatorStateProtocol {
105105 }
106106
107107 } catch {
108+ // Fetch auth session only throws invalid state errors, for which the authenticator should definitely be in signed out state
108109 log. error ( error)
109110 log. error ( " Error while attempting to determine signed in user, going signedOut step " )
110111 setCurrentStep ( signedOutStep)
@@ -117,19 +118,28 @@ public class AuthenticatorState: ObservableObject, AuthenticatorStateProtocol {
117118 return session. isSignedIn
118119 }
119120
120- // If the failures are caused due to connectivity errors, consider the session still valid
121- if configuration. hasIdentityPool,
122- case . failure( let authError) = cognitoSession. getIdentityId ( ) ,
123- !authError. isConnectivityError {
124- log. verbose ( " Could not fetch Identity ID " )
125- return false
126- }
127-
128121 if configuration. hasUserPool,
129- case . failure( let authError) = cognitoSession. getCognitoTokens ( ) ,
130- !authError. isConnectivityError {
131- log. verbose ( " Could not fetch Cognito Tokens " )
132- return false
122+ case . failure( let authError) = cognitoSession. getCognitoTokens ( ) {
123+
124+ // Only invalidate session for definitive authentication failures.
125+ // All other errors (network, service, rate limits, etc.) preserve the session.
126+
127+ // Check for specific AuthError cases that indicate authentication failures
128+ switch authError {
129+ case . notAuthorized:
130+ log. verbose ( " Not authorized - session invalid " )
131+ return false
132+ case . sessionExpired:
133+ log. verbose ( " Session expired " )
134+ return false
135+ case . signedOut:
136+ log. verbose ( " User signed out - session invalid " )
137+ return false
138+ default :
139+ // For all other errors (network, service, unknown), preserve session
140+ log. verbose ( " Non-auth error, preserving session: \( authError) " )
141+ return true
142+ }
133143 }
134144
135145 return true
0 commit comments