Recently started building a SPA. I'm using the official AWS stand-alone Amplify javascript library for Auth. After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.
For example:
I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:
auth0.com: Using browser local storage
Here’s Why Storing JWT in Local Storage is a Disastrous Mistake
Best Practices for Storing Access Tokens in the Browser
Is this something that AWS is failing to account for?
You can use a custom storage adapter and use cookies for instance:
https://docs.amplify.aws/react/build-a-backend/auth/manage-user-session/#update-your-token-saving-mechanism
Do you know if the withAuthentication wrapper handles token refreshes automatically for me?
withAuthentication
Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically
您未登录。 登录 发布回答。
一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。
AWS 官方已更新 2 年前
Do you know if the
withAuthenticationwrapper handles token refreshes automatically for me?Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically