search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.44k stars 2.13k forks source link

Auth v6 - How to set cookie HttpOnly? ( Token-saving mechanism - Cookie Storage ) #13376

Closed hanoj-budime closed 6 months ago

hanoj-budime commented 6 months ago

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

``` # Put output below this line System: OS: Windows 10 10.0.19045 CPU: (12) x64 AMD Ryzen 5 PRO 4650U with Radeon Graphics Memory: 3.37 GB / 15.23 GB Binaries: Node: 18.19.0 - C:\Program Files\nodejs\node.EXE Yarn: 1.22.21 - ~\AppData\Roaming\npm\yarn.CMD npm: 9.6.3 - C:\Program Files\nodejs\npm.CMD Browsers: Edge: Chromium (123.0.2420.97) Internet Explorer: 11.0.19041.3636 npmPackages: @vitejs/plugin-react: ^4.2.0 => 4.2.1 aws-amplify: ^6.0.30 => 6.0.30 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/enable-oauth-listener: undefined () aws-amplify/auth/server: undefined () aws-amplify/data: undefined () aws-amplify/data/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () react: ^18.x => 18.2.0 react-dom: ^18.x => 18.2.0 react-icons: ^4.11.0 => 4.12.0 react-router-dom: ^5.2.0 => 5.3.4 start-server-and-test: ^2.0.3 => 2.0.3 styled-components: ^5.0.1 => 5.3.11 styled-components/macro: undefined () styled-components/native: undefined () styled-components/primitives: undefined () vite: ^5.0.0 => 5.1.4 vite-plugin-node-polyfills: 0.17.0 => 0.17.0 npmGlobalPackages: @aws-amplify/cli: 10.4.1 npm: 9.6.3 nx: 16.7.4 ```

Describe the bug

How do you set the HttpOnly flag for cookies?

image

Expected behavior

Basically, I want to ensure that our cookies are more secure. Is it recommended to enable both 'HttpOnly' and 'Secure'? image Use secure cookies: Always mark cookies containing sensitive information as secure, ensuring they are only transmitted over HTTPS connections. HttpOnly flag: Set the HttpOnly flag on cookies to prevent client-side scripts from accessing them. This mitigates risks like XSS attacks, where an attacker injects malicious scripts into a web page to steal cookies.

Reproduction steps

  1. Amplify v6
  2. Token-saving mechanism with Cookies

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

cwomack commented 6 months ago

Hello, @hanoj-budime and thanks for opening this issue. The feature request to have support for httpOnly cookies is also captured within issue #8147, so we'll close this as a duplicate. The one difference I'll call out between the the two issues is that it looks like you're developing a React app, which would inherently be client side. The feature and solution we are looking into for httpOnly cookies would be exclusive to having this capability on the server side.

But again, we're looking into a solution at this point and will communicate progress on issue #8147 for httpOnly cookie support. Let us know if there are further questions and feel free to upvote, comment, or add additional context to the other issue. Thanks!