CookieStorage with httpOnly 2021 edition #8147
Comments
|
Bump. |
|
Bump. Much needed now especially with nextjs 12 middleware authentication capabilities |
|
Curious if anything will happen with this... |
|
@justinphilpott Me too! found something! ? |
|
Bump too. |
|
Bump |
|
Hey all, I have decided to create a httpOnly cookie solution for amplify auth. @philipjames44 Feel free to check it out: https://github.com/nitrictech/amplify-secure-js It's new and we are open to contributors. |
|
We've ended up using patch-package to modify the AWS Amplify library to support this but it becomes one of those things you have to remember about when you update Amplify. An official solution to this would actually make a lot of sense. |
|
This really feels like it should exist out of the box. We've since created our own solution for this problem, but it is ridiculous amplify is offered as a product without http only cookies |
abdallahshaban557
added
Service Team
|
Please bump this up, this is one of the most frustrating things I've encounter. If possible, please amplify team add the HttpOnly flag. |
|
Hello Everyone, we understand this it is frustrating that we do not have this feature available from AWS Amplify and Amazon Cognito. We do not have an immediate solution to this issue, however, we are discussing internally what we can do to support this in a future iteration of our Amplify Auth category. |
|
I came across this thread today as I am facing similar issues, ie. safely storing the JWT in the client => unsecure localstorage vs cookies not having HTTPOnly flag. |
|
@electronicbits I have done something like this in the past and it can work. This precludes you from using the Amplify client SDK though, so all those helpful features and functions are things you will have to build yourself. You'll have to look into authorization too, something like https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html. Seems like more work, but potentially also more control and security in that you can set things how you want. |
|
@jhoffmcd thanks for that ! |
|
Just noticed, the cognito app client has already a secret in place. Meaning all requests with no secret will be rejected. |
|
Bumping this as well, a native solution would be greatly appreciated! |
|
Bump again, this is blocking |
|
Bump too. |
|
In a few short weeks the issue title will need to be updated to a 2023 edition 😬 |
|
🤣 Bump bump bump. Any plan? |
What was the result of those discussions? |
|
For anyone that's looking for a work-around solution: You might find my official AWS blog post helpful: Reduce risk by implementing HttpOnly cookie authentication in Amazon API Gateway It's also using Amazon Cognito. |
|
@BorntraegerMarc thanks for the post. Your solution implies using a hosted UI to allow Apps to be as agnostic as possible from the authentication flow (effectivley, removing amplify dependency and with it, client-side token storage), right? That makes total sense to me, but, what if a custom login UI is needed? Is there a way to securely achieve this use case? |
|
@fjcalzado you can customize the Amazon Cognito sign-in page as described here: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-ui-customization.html |
|
Bump! |
Thanks @BorntraegerMarc !! I followed the steps in the article you posted and I have this working and authenticating the sample lambda function. Now... How do i make this authenticate my amplify application? Also, I need to use the AWS.Lambda and AWS.S3 libraries which both require the accessKeyId, the secretAccessKey and the sessionToken. How would I get these using the technique you described. I came across this library that seems perfect but it is incompatible with my project |
|
@TE-RobertMcCain for amplify (any SPA) you can just redirect to Cognito hosted login page on login. No further action needed |
|
I'm hoping folks in this thread can help me understand what I'm missing. After reading on this topic and experimenting with AmplifyJS, I don't see how supporting httpOnly cookies would solve all XSS surface. It seems like to support httpOnly cookies, the Amplify team would have to write an Amplify backend, where cookies would be set. For most functions that we call on the client-side, a request would be made to that backend, which would then make the request to the required AWS service. In theory, the above could be possible, probably with a new "Amplify backend" service that we would have to deploy. This would be the exact same as writing our own frontend code and backend server, but obviously would save us a lot of code to write. But for some Amplify libraries, this wouldn't even remove the XSS vulnerability. Take the geo or the pubsub libraries. I'm fairly sure those need to be used directly from the client-side. This means that the tokens would need to be exchanged between the backend and the frontend, essentially voiding the use of httpOnly cookies. I feel like we're trying to add capabilities to a framework that has been inherently designed to run with some vulnerabilities. I.e. Amplify JS has been designed to make requests from the client-side of frontend applications, using Cognito tokens. For everybody that claims having implemented httpOnly cookies through a work-around (SSR, API Gateway, or something else), are you able to use the geo or pubsub modules securely? I'm under the impression that this isn't the case. Again, I'm hoping somebody proves me wrong, as I'm not an expert on security or frontend frameworks. I would very much like to use AmplifyJS, securely, as it saves me writing a lot of code. |
|
Is there any update on this? It would be so great to get this fixed. I assume this is due to security unawareness. Lots of applications are affected by this just because they realize on Amplify UI. As far as I can tell there is no explicit warning about this security issue in Amplify UI documents. |
|
Hey guys, I agree with your comments, as @louislatreille says, what if we need to use geo or pubsub features ?, maybe it is need a solution that's Amplify team sure will find. I will check also the libraries commented (https://github.com/nitrictech/amplify-secure-js), it looks good and as soon as possible I will check it with React. |
|
Bump. It is very much needed. |
|
Bump |
|
Bump, we could really use this. |
|
Bump! This just came up on a pentest report for me. |
|
Bump. Also came up as a pentest findings in our Team. We had some hope reading this piece of documentation from Amplify but could it be the snippet is not working for Gen2 ( |
|
Bump, we could really use this, too. |
github-actions
bot
added
the
pending-maintainer-response
|
Bump, we need to implement OpenID Session Management using Amplify Gen2 with Next.js adapter, right now. |
and others
Is your feature request related to a problem? Please describe.
Yes, amplify should support httpOnly cookie setting via Cognito to prevent a user from manually having to create httpOnly cookies to prevent XSS attacks, and so that using a custom API does not require the user to store JWTs in localStorage.
Describe the solution you'd like
Boolean flag to add httpOnly cookie in cookieStorage by leveraging the backend infra of Cognito.
Describe alternatives you've considered
Creating my own cookies. I cannot store my relevant cookies server side or use API gateway so it must be stored securely on the client. I can use localStorage to store JWTs but httpOnly cookies are the more secure solution.
Additional context
This is a follow up on #3224, which I believe was closed prematurely.
The text was updated successfully, but these errors were encountered: