Recently started building a SPA. I'm using the official AWS stand-alone Amplify javascript library for Auth. After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.
For example:
I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:
auth0.com: Using browser local storage
Here’s Why Storing JWT in Local Storage is a Disastrous Mistake
Best Practices for Storing Access Tokens in the Browser
Is this something that AWS is failing to account for?
You can use a custom storage adapter and use cookies for instance:
https://docs.amplify.aws/react/build-a-backend/auth/manage-user-session/#update-your-token-saving-mechanism
Do you know if the withAuthentication wrapper handles token refreshes automatically for me?
withAuthentication
Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically
ログインしていません。 ログイン 回答を投稿する。
優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。
Do you know if the
withAuthentication
wrapper handles token refreshes automatically for me?Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically