search

amazon-archives / amazon-cognito-auth-js

The Amazon Cognito Auth SDK for JavaScript simplifies adding sign-up, sign-in with user profile functionality to web apps.
Apache License 2.0
423 stars 232 forks source link

[Hosted UI] State parameter #147

Open alshdavid opened 6 years ago

alshdavid commented 6 years ago

Hey, not sure where else to talk about the hosted ui.

How to I use the state parameter with the hosted ui?

kuabhila commented 6 years ago

You could use a client-generated value in the state parameter to prevent CSRF attacks. Cognito's login & Authorization endpoints support this parameter. So, include a sufficiently large & random value in the state parameter while entering the URL in your client/browser.

vpod commented 6 years ago

From what I see the SDK would generate the state automatically, if none is set. However it does not store the generated value and does not validate it upon callback (see getFQDNSignIn()). Why is that? I would agree that it is user's responsibility to do, but as the SDK has made the first step to generate a random value, maybe it would be reasonable to use it? At least I see no reason why not to add the storage and validation.

What would the maintainers say?