So, I thought about this for a very long time and decided:
Yes, itโs normal for these numbers to be on your front end.
Of course, for many reasons.
First
Question:
How can I be concerned that another site might take over my user pool, potentially tricking users into subscribing to it?
Answer:
If I accepted your UserPoolID and ClientID - could I "capture" your application?
Answer:
Not really ... maybe itโs kind of like, but why ...
The level of โleaseโ or โpermitโ that you provide to the client is entirely up to you and your IAM roles. Suppose we do not consider my second and more common reason, but - (verification of origin).
If I steal your access keys and misuse your application / brand / something else, I just get customers to your site. I cannot access your customer list, data, magazines, records, etc. IF , so that you establish that your authentication rights do not allow this. Administrative level permissions blocking for client lists, pool information, data, etc.
Example (added to the Statement section):
{ "Effect": "Deny", "Action": [ "cognito-identity:CreateIdentityPool", "cognito-identity:DeleteIdentityPool", "cognito-identity:DeleteIdentities", "cognito-identity:DescribeIdentity", "cognito-identity:DescribeIdentityPool", "cognito-identity:GetIdentityPoolRoles", "cognito-identity:ListIdentities", "cognito-identity:ListIdentityPools", "cognito-identity:LookupDeveloperIdentity", "cognito-identity:MergeDeveloperIdentities", "cognito-identity:SetIdentityPoolRoles", "cognito-identity:UnlinkDeveloperIdentity", "cognito-identity:UpdateIdentityPool" ], "Resource": [ "arn:aws:cognito-identity:us-east-1:ACCOUNT_DIGITS:identitypool/us-east-1:PoolID_NUMBERS" ] }
Or just the opposite:
{ "Effect": "Allow", "Action": [ "cognito-identity:GetOpenIdTokenForDeveloperIdentity" ], "Resource": "arn:aws:cognito-identity:us-east-1:ACCOUNT_DIGITS:identitypool/us-east-1:NUMBERS-NUMBERS-PoolID" }
Only the "cognito-identity:GetOpenIdTokenForDeveloperIdentity" part is required. Block user level permissions for files
Example:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::[bucket]/[folder]/${cognito-identity.amazonaws.com:sub}/*" ] }
As an obvious rule of thumb, provide users with just what they need. Block all the crap you can block and use the policy simulator. Conclusion in justification:
You can block all the things that will expose your customer base and make "hyjack" your site pointless. Counter Argument:
Ya but what if
Here is a document that can help with IAM materials. And a few more.
Second
Question:
Lambda payload pre-authentication does not seem to contain any request source data, so I think this is not a way to do this.
Answer:
Hm.
Answer:
Yes, it includes the data of the request source - IF , which sets it.
Question:
I'm worried that the AWS Cognito User Pools Javascript API does not seem to care about what website requests come from
Answer:
For this - you are right. If you use static files with user pool triggers, little has been done to verify the origin.
So - if you really want this - you can install all of this using the Gateway API in Lambda. This will remove direct interaction with client pools from the client side and place them at the end.
Introduction:
Sets the settings:
- Log in to user pools and configure the pool
- Add cognito identifier pool
- Go to Lambda and connect the function using the API gateway trigger event.
- enter your code - this is an example of "login":
const AWS = require( 'aws-sdk' ), UserPool = new AWS.CognitoIdentityServiceProvider(); exports.handler = ( event, context, callback ) => { console.log( event ); const params = { AuthFlow: 'CUSTOM_AUTH', ClientId: 'numbers', AuthParameters: { USERNAME: event.email, PASSWORD: event.password } }; UserPool.initiateAuth( params, ( err, data ) => { callback( err, data ); } ); };
In the above - yes, you can do:
UserPool.initiateAuth( params, callback );
Instead:
UserPool.initiateAuth( params, ( err, data ) => { callback( err, data ); } );
But it gives rise to strange errors - the GitHub problem is already open about it.
- Go to trigger event from API Gateway
- Click on your method and go to the
Integration Request section - Below you will see
Body Mapping Templates - Add a new one and enter
application/json - You should see a template template that looks like this:
This Apache Template Velocity Language is different from the JSONScheme language used by other elements of the mapping template:
#set($allParams = $input.params()) { "body-json" : $input.json('$'), "params" : { #foreach($type in $allParams.keySet()) #set($params = $allParams.get($type)) "$type" : { #foreach($paramName in $params.keySet()) "$paramName" : "$util.escapeJavaScript($params.get($paramName))" #if($foreach.hasNext),#end #end } #if($foreach.hasNext),#end #end }, "stage-variables" : { #foreach($key in $stageVariables.keySet()) "$key" : "$util.escapeJavaScript($stageVariables.get($key))" #if($foreach.hasNext),#end #end }, "context" : { "account-id" : "$context.identity.accountId", "api-id" : "$context.apiId", "api-key" : "$context.identity.apiKey", "authorizer-principal-id" : "$context.authorizer.principalId", "caller" : "$context.identity.caller", "cognito-authentication-provider" : "$context.identity.cognitoAuthenticationProvider", "cognito-authentication-type" : "$context.identity.cognitoAuthenticationType", "cognito-identity-id" : "$context.identity.cognitoIdentityId", "cognito-identity-pool-id" : "$context.identity.cognitoIdentityPoolId", "http-method" : "$context.httpMethod", "stage" : "$context.stage", "source-ip" : "$context.identity.sourceIp", "user" : "$context.identity.user", "user-agent" : "$context.identity.userAgent", "user-arn" : "$context.identity.userArn", "request-id" : "$context.requestId", "resource-id" : "$context.resourceId", "resource-path" : "$context.resourcePath" } }
With this, you can get source-ip , cognito information, etc.
This method is a safe method of locking the origin. You can verify the origin by doing an if check in Lambda or an IAM condition - blocking all requests from another source.