Security concern, user.storage expose other users idToken, refreshToken, accessToken. #768
Comments
|
Luckily this has been researched (and debated!) extensively in the Amplify JS repo (which is the underlying client library for the UI): That would be the best place to continue the discussion 🙏 |
thaddmt
added a commit
that referenced
this issue
Apr 7, 2023
Revert "chore: add debug logs and send them to sample app through hug…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This has been bugging me for sometime as I have limited knowledge on cyber security especially athentication. I am not sure whether this is the place to ask, but I'll put it here anyway since you guys are pretty responsive. When a user is athenticated, then the browser have access to the
userobject with keys likeusername,userPoolIdandattributes. This object can be examined easily in React DevTools.Then there is this
storagekey in theuserobject. It contains other users idToken, refreshToken, accessToken. Is it safe for such values to be exposed? Can other users' account get hijacked or jeopardised by knowing such values?The text was updated successfully, but these errors were encountered: