Months ago I went through this documentation and built a cognito pool with four lambda triggers that control signing in from a website.
This mechanism adds the user cognito if they do not already exist in the pool and then authorizes them and get a jwt token from cognito which controls access to API gateway APIs.
The problem is that when I use this setup, the JWT takes 5 MINUTES at the minimum to expire and there doesnt seem to be any valid way to expire that token before that time frame.
If this is indeed true, I effectively cannot rely on Cognito for senstiive APIs where I must make sure a user can only use it once with the credentials they are given.
For instance, maybe I have an order creation API. In my testing, a user can grab the token from F12's network response and make thousands of fake orders using postman before the 5 minute expiration time expires after authorizing.
I have seen documentation about token revocation, and found two api endpoints involved with cancelling tokens but even after using them this 'feature' of being able to reuse the token as much as you want still exists until the 5 minute timeout is over.
To contrast, with OAuth, it looks as through the token can be set to be short lived and expire 10 seconds after issuance. I could give the user a 10-20 second valid window and this would probably cover me as it would take most of that time to break into F12 and get the JWT in the first place.
Am I maybe using this wrong and is there a way that the cognito token doesnt provide wide open access beyond its initial use? I'd prefer to use Cognito but I think unless I can get around this I have to look at other options.
Thanks!