I’m working on a React-Redux web-app which integrates with AWS Cognito for user authentication/data storage and with the Shopify API so users can buy items through our site.
With both SDKs (Cognito, Shopify), I’ve run into an issue: Their core functionality attaches data behind the scenes to localStorage
, requiring both SDKs to be run client-side.
But running this code entirely client-side means that the API tokens which both APIs require are completely insecure, such that someone could just grab them from my bundle and then authenticate/fill a cart/see inventory/whatever from anywhere (right?).
I wrote issues on both repos to point this out. Here’s the more recent one, on Shopify. I’ve looked at similar questions on SO, but nothing I found addresses these custom SDKs/ingrained localStorage
usage directly, and I’m starting to wonder if I’m missing/misunderstanding something about client-side security, so I figured I should just ask people who know more about this.
What I’m interested in is whether, abstractly, there’s a good way to secure a client-side SDK like this. Some thoughts:
-
Originally, I tried to proxy all requests through the server, but then the
localStorage
functionality didn’t work, and I had to fake it out post-request and add a whole bunch of code that the SDK is designed to take care of. This proved prohibitively difficult/messy, especially with Cognito. -
I’m also considering creating a server-side endpoint that simply returns the credentials and blocks requests from outside the domain. In that case, the creds wouldn’t be in the bundle, but wouldn’t they be eventually scannable by someone on the site once that request for credentials has been made?
-
Is the idea that these secret keys don’t actually need to be secure, because adding to a Shopify cart or registering a user with an application don’t need to be secure actions? I’m just worried that I obviously don’t know the full scope of actions that a user could take with these credentials, and it feels like an obvious best practice to keep them secret.
Thanks!
2
Answers
Can’t you just put the keys and such in a .env file? This way nobody can see what keys you’ve got stored in there. You can then access your keys through process.env.YOUR_VAR
For Cognito you could store stuff like user pool id, app client id, identity pool id in a .env file.
NPM package for dotenv can be found here: NPM dotenv
Furthermore, what supersecret stuff are you currently storing that you’re worried about? By “API tokens”, do you mean the OpenId token which you get after authenticating to Cognito?
I can respond to the Cognito portion for this. Your AWS Secret Key and Access Key are not stored in the client. For your React.js app, you only need the Cognito User Pool Id and the App Client Id in your app. Those are the only keys that are exposed to the user.
I cover this in detail in a comprehensive tutorial here – http://serverless-stack.com/chapters/login-with-aws-cognito.html