aws-serverless-auth-reference-app icon indicating copy to clipboard operation
aws-serverless-auth-reference-app copied to clipboard

Published 20 hours ago verified publisher icon amazon-archives

Is the user information in account-management.service.ts secure?

Open wollerman opened this issue 6 years ago • 0 comments

After a user signs in, it seems that everything is just saved to local storage: https://github.com/awslabs/aws-serverless-auth-reference-app/blob/master/app/src/services/account-management.service.ts#L368

Which looks to be the standard javascript localstorage: https://github.com/awslabs/aws-serverless-auth-reference-app/blob/master/app/src/services/account-management.service.ts#L560

Is this secure? I was surprised to find these keys and tokens being set to default storage. It seems to defeat the purpose and power of cognito by storing the AWS secret access key here.

From what I can tell, best practice is to use local storage. I guess the big issue is storing that particular key and not just the JWT. If this isn't best practice, can you help point me in the direction of how to use cognito and not compromise the user?

Thanks!

wollerman avatar Oct 23 '17 21:10 wollerman