Recently started building a SPA. I'm using the official AWS stand-alone Amplify javascript library for Auth. After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.
For example:
I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:
auth0.com: Using browser local storage
Here’s Why Storing JWT in Local Storage is a Disastrous Mistake
Best Practices for Storing Access Tokens in the Browser
Is this something that AWS is failing to account for?
You can use a custom storage adapter and use cookies for instance:
https://docs.amplify.aws/react/build-a-backend/auth/manage-user-session/#update-your-token-saving-mechanism
Do you know if the withAuthentication wrapper handles token refreshes automatically for me?
withAuthentication
Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically
로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.
좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.
Do you know if the
withAuthentication
wrapper handles token refreshes automatically for me?Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically