aws-appsync-community icon indicating copy to clipboard operation
aws-appsync-community copied to clipboard

Published 20 hours ago verified publisher icon aws

[Question] How to access request cookies header in a JS Lambda Resolver

Open isi-gach opened this issue 5 years ago • 11 comments

Hi

I posted the same question here: https://github.com/aws-amplify/amplify-js/issues/4486

I'm trying to read a request cookie with the HttpOnly flag (so it's not accessible in the browser) in a javascript Appsync lambda resolver, apply sha256 to that cookie and send it to a new Http request.

I'm able to read the cookies in API Gateway: https://github.com/isi-gach/api-gateway-read-request-cookie But I haven't managed to do it in AppSync.

isi-gach avatar Dec 06 '19 09:12 isi-gach

I replied on the other issue as well but here is my answer for reference.

AppSync currently does not expose Cookies via the $ctx.request object. It is good feedback and I will take this to the team. In the meantime, would you be able to extract the cookie header on the client and use a different header to pass it through AppSync?

tinnou avatar Dec 07 '19 02:12 tinnou

Please consider adding support for this, we have use cases around httpOnly cookies will not work by playing the header switching game. Adding something like cloudfront + edge lambdas just for this is ...terrible.

bitfrost avatar Jul 29 '20 23:07 bitfrost

This is an important security issue when you need sensitive data in cookies e.g. sessions:

https://dev.to/rdegges/please-stop-using-local-storage-1i04 <— Please Stop Using Local Storage https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage <— OWASP recommends not using Local Storage for sensitive data.

Thanks for your great work AppSync Team!! Please consider this. 🙏

tiomno avatar Aug 20 '20 01:08 tiomno

Hope the absence of a meaningful workaround will help to prioritize the work for this issue.

Also would like to add that we are considering AppSync as a future game-changer in term how FE and BE apps communicate with each other.

vlutsyuk-amplify avatar Dec 08 '20 15:12 vlutsyuk-amplify

Curious if there is any update regarding this issue?

jlvdh avatar Apr 01 '21 15:04 jlvdh

Looks like we are now in 2022... Seems this is dead?

harinair avatar Jan 12 '22 23:01 harinair

Also curious if there are results? I also encountered the same problem. @Tim Schmelter

light320180 avatar Jul 22 '22 07:07 light320180

Also curious if there are results? I also encountered the same problem. @tim Schmelter

We tried everything. No way. We are now using cloud front to convert header to cookie and vice versa.

harinair avatar Jul 22 '22 07:07 harinair

Are you using Lambda@Edge? Can you tell me your specific operation or have a reference document? Really looking forward to some help, thanks @harinair

light320180 avatar Jul 22 '22 08:07 light320180

We use cloudflare not cloudfront.... so it is different but essentially the same thing. You need to use the Lambda@Edge to parse the cookies from the Cookies header and set it as a header while forwarding the request. There may be 1000s of examples out there if you google.

harinair avatar Jul 22 '22 21:07 harinair