Closed tsop14 closed 1 year ago
Hi @tsop14,
While support for Amplify is a requirement for this package, not all of its features need to be compatible as long as they remain optional. Adding the ability to set the HttpOnly
flag on cookies is within the scope of the package.
I will try to review your CR by the end of the week (probably Friday).
Cheers,
Issue # (if available): None
Description of changes:
Adds
httpOnly
boolean property to Authenticator params. Iftrue
set cookies usingHttpOnly
. These cookies can still be read from the request in the @edge lambda but are no longer available to javascript Document.cookie API.HttpOnly
Context
This issue discusses "Tokens exposed to users via cookies: security question" . It notes to avoid cookies you could follow the authorization code grant flow - requiring a request to cognito to ensure code is valid each time.
We'd like to avoid this extra call but also have additional security by setting the cookies using
HttpOnly
as a way to mitigate attacks involving cookies.For our use case we don't need to use amplify on the frontend and this PR assumes support isn't a requirement? But it might be a bit confusing as the cookies are set with the prefix expected by amplify auth and the architecture diagram includes the amplify logo by the web app. Tried to avoid confusion by making it explicit in readme but happy for feedback on making this clearer if needed.
Thanks for reviewing.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.