Serverless reference app and backend API, showcasing authentication and authorization patterns using Amazon Cognito, Amazon API Gateway, AWS Lambda, and AWS IAM.
Other
754
stars
193
forks
source link
Is the user information in account-management.service.ts secure? #45
Is this secure? I was surprised to find these keys and tokens being set to default storage. It seems to defeat the purpose and power of cognito by storing the AWS secret access key here.
From what I can tell, best practice is to use local storage. I guess the big issue is storing that particular key and not just the JWT. If this isn't best practice, can you help point me in the direction of how to use cognito and not compromise the user?
After a user signs in, it seems that everything is just saved to local storage: https://github.com/awslabs/aws-serverless-auth-reference-app/blob/master/app/src/services/account-management.service.ts#L368
Which looks to be the standard javascript localstorage: https://github.com/awslabs/aws-serverless-auth-reference-app/blob/master/app/src/services/account-management.service.ts#L560
Is this secure? I was surprised to find these keys and tokens being set to default storage. It seems to defeat the purpose and power of cognito by storing the AWS secret access key here.
From what I can tell, best practice is to use local storage. I guess the big issue is storing that particular key and not just the JWT. If this isn't best practice, can you help point me in the direction of how to use cognito and not compromise the user?
Thanks!