When using aws amplify with SPA (React, Vue, Angular...) is it a good practice to use USER_SRP_AUTH. It seems like a bad idea storing UserPoolId and ClientId on the client.
Am I getting this wrong?
Those params are safe to publish.
See this aws forum question.
Related
I'm currently working on a React-native / Expo app.
After some research on security risk with react-native, I found that it was very easy to do reverse engineering on a APK and get the javascript code source.
For my app, I'm using AWS Amplify for the backend. So, all privates informations like Cognito Pool ID, S3 Bucket and other endpoints are readable easily in the aws-export.js after reverse engineering.
I know that it is possible to obfuscated the file with react-native-obfuscating-transformer or the entire app APK with Proguard but don't know if it is a correct way to secure this file.
So, my question is:
Is there a way to secure aws-export.js accordingly with the today production standard in React Native ?
Thanks in advance to everyone who take the time to answer.
I have seen many people using nextjs with expressjs and without expressjs framwork. Can someone please explain why do we need expressjs with nextjs? Nextjs works as SSR without expressjs. What does expressjs add to nextjs when we use it together? Assuming that we are using different rest api server.
You don't need to use expressjs if all you want is server-side rendering. But if you want to go beyond that by adding an API, as an example, then you need to be able to override the routing and that's when you'd add expressjs in front. Express will get the request and see if it is for the API or if it's just a normal nextjs page. LogRocket has a very good tutorial on this https://blog.logrocket.com/how-to-build-a-server-rendered-react-app-with-next-express-d5a389e7ab2f/
You most likely don't need to override Next's default server. For edge cases where you do, you'll see examples showing a custom server extending Next's default. You can use whatever server framework you want – Express, Hapi, etc.
https://nextjs.org/docs/advanced-features/custom-server
I'm developing a React Native app and using AWS Amplify with Amazon Cognito for authentication. I've added the authentication for the app using Amplify CLI (amplify add auth). The problem is I need to add/remove the required attributes for the sign up, but those cannot be changed after the user pool is created.
My question is how can I delete the currently added user pool using the CLI, and making sure that the changes are reflected in aws-exports.js?
I figured it out. As mentioned here, it's not in amplify-cli docs, but you can remove a single category (in this case auth) like this:
amplify remove <category>
So, in this case, it would be
amplify remove auth
And, then
amplify push
aws cognito-idp delete-user-pool --user-pool-id youruserpoolid
I have my app published on PlayStore. I am getting this warning on my Play Console that my AWS Credentials have been exposed and i won't be able upload new apk after 12 November 2018 if the problem persists. I use the credentials for uploading images to Amazon S3. The credentials are hard coded right now.
So i need to know what should be the way to rectify this.
Thanks in advance.
Amazon have a whole blog post on dealing with this problem, and a page on best practices.
Essentially you need to revert the old credentials, and use Amazon Cognito to control access.
An updated link on cognito lives here
I'm trying to implement AWS-Amplify in a React Native app so that events can be sent to Pinpoint for analytics. A user doesn't need to be signed in to use the app, so they would be unauthenticated with Cognito.
I am noticing that the identity of the unauthenticated user doesn't seem to persist, so when I close or uninstall the app, a new identity id is generated when I launch the app. The docs suggest that this should be cached, but it seems the cache is clearing out when using AWS Amplify.
Is there a way to set or reuse an identity id for a returning unauthenticated user on AWS-Amplify or Cognito so new identity ids don't get assigned ?
I looked through amazon-cognito-identity-js to see if there was a way to do this with an unauthenticated user and wasn't able to find what I am describing: see here.
I'm new to AWS Amplify/Cognito/Pinpoint in general, so any thoughts or suggestions to do something similar would be greatly appreciated!
This is a known issue in the AWS Amplify and should have been fixed in the latest version.