JustANoob
Reputation: 177
Trusting Cognito accessToken in lambda (authorizer in use) - Authorization
Is it safe for my lambda function to trust the accessToken passed by the user and checked by the lambda authorizer to perform CRUD db operations?
For example:
const authToken = event.headers['Authorization'];
if (!authToken) throw new Error('No auth token found so no username');
var decodedToken = jwt_decode(authToken);
const userName = decodedToken.username; //---- BUT CAN WE TRUST THIS? ----
let params = {
TableName: "myTable",
IndexName: 'userName-gsi',
KeyConditionExpression: 'userName = :userName',
ExpressionAttributeValues: {
':userName': userName,
},
Limit: 1,
};
let data = await dynamodb.query(params).promise();
return {
statusCode: 200,
headers: utils.getResponseHeaderApplicantifyCors(),
body: JSON.stringify(data.Items[0]),
};
Upvotes: 1
Views: 240
Answers (1)
L3p1
Reputation: 126
In your example you're only decoding the JWT, so the only verification made is that the token is in JWT form. That is not enough to guarantee, that the JWT is originating from trusted party.
The minimum you should do, is to also verify the contents of the JWT token. Steps for that are listed here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
Upvotes: 1
Related Questions
- Authentication with Lambda and AWS Cognito
- Is the Authorization header passed to lambda function by Cognito Authorizer?
- Using Cognito for REST API authentication
- Do I need to verify a AWS Cognito token in BOTH Lambda AND as API Gateway?
- Cognito authorizing a user through AWS lambda function
- How to get AWS AccessToken from Cognito, using Dev Authenticated Identities
- Use Cognito authorizer just as a JWT translator
- AWS Lambda Authorizer
- How to authenticate users using Lambda functions and AWS Cognito?
- How to do Cognito authentication in lambda function?