Open alshdavid opened 6 years ago
You could use a client-generated value in the state parameter to prevent CSRF attacks. Cognito's login & Authorization endpoints support this parameter. So, include a sufficiently large & random value in the state parameter while entering the URL in your client/browser.
From what I see the SDK would generate the state automatically, if none is set. However it does not store the generated value and does not validate it upon callback (see getFQDNSignIn()). Why is that? I would agree that it is user's responsibility to do, but as the SDK has made the first step to generate a random value, maybe it would be reasonable to use it? At least I see no reason why not to add the storage and validation.
What would the maintainers say?
Hey, not sure where else to talk about the hosted ui.
How to I use the
state
parameter with the hosted ui?