Recently started building a SPA. I'm using the official AWS stand-alone Amplify javascript library for Auth. After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.
For example:
I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:
auth0.com: Using browser local storage
Here’s Why Storing JWT in Local Storage is a Disastrous Mistake
Best Practices for Storing Access Tokens in the Browser
Is this something that AWS is failing to account for?
You can use a custom storage adapter and use cookies for instance:
https://docs.amplify.aws/react/build-a-backend/auth/manage-user-session/#update-your-token-saving-mechanism
Do you know if the withAuthentication wrapper handles token refreshes automatically for me?
withAuthentication
Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically
로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.
좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.
AWS 공식업데이트됨 2년 전
Do you know if the
withAuthenticationwrapper handles token refreshes automatically for me?Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically