feat: httpOnly param

[tsop14]

Issue # (if available): None

Description of changes:

Adds httpOnly boolean property to Authenticator params. If true set cookies using HttpOnly. These cookies can still be read from the request in the @edge lambda but are no longer available to javascript Document.cookie API.

• adds httpOnly param
• conditionally sets cookies with HttpOnly
• adds unit test
• updates README's param documentation

Context

This issue discusses "Tokens exposed to users via cookies: security question" . It notes to avoid cookies you could follow the authorization code grant flow - requiring a request to cognito to ensure code is valid each time.

There is a tradeoff between latency and security.

We'd like to avoid this extra call but also have additional security by setting the cookies using HttpOnly as a way to mitigate attacks involving cookies.

For our use case we don't need to use amplify on the frontend and this PR assumes support isn't a requirement? But it might be a bit confusing as the cookies are set with the prefix expected by amplify auth and the architecture diagram includes the amplify logo by the web app. Tried to avoid confusion by making it explicit in readme but happy for feedback on making this clearer if needed.

Thanks for reviewing.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jeandek]

Hi @tsop14,

While support for Amplify is a requirement for this package, not all of its features need to be compatible as long as they remain optional. Adding the ability to set the HttpOnly flag on cookies is within the scope of the package.

I will try to review your CR by the end of the week (probably Friday).

Cheers,