Recently started building a SPA. I'm using the official AWS stand-alone Amplify javascript library for Auth. After deploying my SPA and logging in, I noticed that all of my tokens are persisted in local storage in the browser.
For example:
I'm fairly new to the frontend auth, but everything I've read has claimed that this is poor security. For example:
auth0.com: Using browser local storage
Here’s Why Storing JWT in Local Storage is a Disastrous Mistake
Best Practices for Storing Access Tokens in the Browser
Is this something that AWS is failing to account for?
You can use a custom storage adapter and use cookies for instance:
https://docs.amplify.aws/react/build-a-backend/auth/manage-user-session/#update-your-token-saving-mechanism
Do you know if the withAuthentication wrapper handles token refreshes automatically for me?
withAuthentication
Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically
您未登录。 登录 发布回答。
一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。
Do you know if the
withAuthentication
wrapper handles token refreshes automatically for me?Amplify will keep active session for as long as it can, but I don’t think it will automatically refresh the token. Typically I did call Auth.currentSession() which would then renew to token automatically