[Question] How to access request cookies header in a JS Lambda Resolver

[isi-gach]

Hi

I posted the same question here: https://github.com/aws-amplify/amplify-js/issues/4486

I'm trying to read a request cookie with the HttpOnly flag (so it's not accessible in the browser) in a javascript Appsync lambda resolver, apply sha256 to that cookie and send it to a new Http request.

I'm able to read the cookies in API Gateway: https://github.com/isi-gach/api-gateway-read-request-cookie But I haven't managed to do it in AppSync.

[tinnou]

I replied on the other issue as well but here is my answer for reference.

AppSync currently does not expose Cookies via the $ctx.request object. It is good feedback and I will take this to the team. In the meantime, would you be able to extract the cookie header on the client and use a different header to pass it through AppSync?

[bitfrost]

Please consider adding support for this, we have use cases around httpOnly cookies will not work by playing the header switching game. Adding something like cloudfront + edge lambdas just for this is ...terrible.

[tiomno]

This is an important security issue when you need sensitive data in cookies e.g. sessions:

https://dev.to/rdegges/please-stop-using-local-storage-1i04 <— Please Stop Using Local Storage https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage <— OWASP recommends not using Local Storage for sensitive data.

Thanks for your great work AppSync Team!! Please consider this. 🙏

[vlutsyuk-amplify]

Hope the absence of a meaningful workaround will help to prioritize the work for this issue.

Also would like to add that we are considering AppSync as a future game-changer in term how FE and BE apps communicate with each other.

[jlvdh]

Curious if there is any update regarding this issue?

[harinair]

Looks like we are now in 2022... Seems this is dead?

[light320180]

Also curious if there are results? I also encountered the same problem. @Tim Schmelter

[harinair]

Also curious if there are results? I also encountered the same problem. @tim Schmelter

We tried everything. No way. We are now using cloud front to convert header to cookie and vice versa.

[light320180]

Are you using Lambda@Edge? Can you tell me your specific operation or have a reference document? Really looking forward to some help, thanks @harinair

[harinair]

We use cloudflare not cloudfront.... so it is different but essentially the same thing. You need to use the Lambda@Edge to parse the cookies from the Cookies header and set it as a header while forwarding the request. There may be 1000s of examples out there if you google.

[zenMasterAnish]

been so long!. is there native support ever going to come for cookie handling?