search

amazon-archives / amazon-cognito-auth-js

The Amazon Cognito Auth SDK for JavaScript simplifies adding sign-up, sign-in with user profile functionality to web apps.
Apache License 2.0
423 stars 232 forks source link

Credentials are not cleared on signOut() #36

Open dinvlad opened 6 years ago

dinvlad commented 6 years ago

Hi Team,

It appears that clearCachedTokensScopes() does not work as intended, because it references this.username and that parameter is undefined. When instantiating CognitoAuth, this.username is set to this.getLastUser() (and this is the only place it is set automatically*). However, by that time the last user is not yet set because cacheTokensScopes() is called only after parseCognitoWebResponse(). As a result, the user session is not cleared at all (except for, ironically, the value of LastAuthUser), and other people logging in on the same device can potentially steal the user tokens. Also, this pollutes localStorage over time as the old tokens are not removed in a multi-user environment.

I suggest we should call this.getCurrentUser() instead of this.username in clearCachedTokensScopes() to ensure that the current user is referenced correctly. Alternatively (even better), we should update this.username after cacheTokensScopes().

*Currently, to work around that without patching CognitoAuth, we must explicitly call auth.setUser(auth.getCurrentUser()) in our onSuccess() callback, which is a bit silly.

Thank you

yuntuowang commented 6 years ago

Hi @dinvlad, our bug fix has been pushed! Please use version v1.1.1, you can download directly from github or use npm to install the latest version. Thanks!!

Senneseph commented 5 years ago

@yuntuowang's comment implies this has been fixed, but the issue is still open??

dinvlad commented 5 years ago

Alas I cannot verify this as we moved to Firebase. If others can confirm, I'll close it.