search

dabit3 / gatsby-auth-starter-aws-amplify

Starter Project with Authentication with Gatsby & AWS Amplify
MIT License
324 stars 399 forks source link

Security vulnerability: sensitive user fields in local storage #22

Closed multidis closed 4 years ago

multidis commented 5 years ago

Following user authentication, the user information returned from Auth.currentAuthenticatedUser() is saved to local storage: https://github.com/dabit3/gatsby-auth-starter-aws-amplify/blob/master/src/components/Login.js#L25 https://github.com/dabit3/gatsby-auth-starter-aws-amplify/blob/master/src/utils/auth.js#L3

This appears to results in sensitive user fields such as the password being saved in local storage in plain text. Seems to be a serious security issue for anyone using this Gatsby starter.

Any suggestions on fixing that while still having a proper token of logged in user available for signing GraphQL calls etc.?

dabit3 commented 4 years ago

Hi @multidis , I have tried to reproduce this issue but have not had any luck. Can you point me to how you were able to get the password saved to local storage?

Thanks for the issue.

multidis commented 4 years ago

I was re-evaluating this and indeed do not see the password anymore. Can not reproduce exactly where I have seen it in the past with the up-to-date amplify/gatsby versions, so considering this close. Sorry for the noise.

dabit3 commented 4 years ago

Hey, no worries. I appreciate any issues. Thanks!