我担心 AWS Cognito 用户池 Javascript API 似乎并不关心来自哪个网站请求(使用 API 所需的只是用户池 ID 和客户端 ID,它们可以在我的 javascript 源)。
我担心另一个网站可能会劫持我的用户群,可能会诱使用户注册吗?
如果这是一个有效的问题,有什么办法可以防止这种情况发生?预身份验证 Lambda 负载似乎不包含任何请求源数据,所以我想这不是实现它的方法。
如果这不是我需要关心的事情,那是为什么?
最佳答案
所以,我考虑了很长时间并决定:
Yes it's ok to have those digits on your front end.
当然 - 原因如下。
第一:
问题:
Am I right to be concerned that another site could hijack my user pool, potentially tricking users into signing up to it?
响应:
If I were to take your
UserPoolID
andClientID
- could I "hijack" to your application?
回答:
Not exactly...maybe kinda sorta but why...
您授予客户的“租赁”或“许可”级别完全取决于您和您的 IAM Angular 色。 假设我们还没有考虑我的第二个也是更相关的原因 -(来源检查)。
如果我窃取您的访问 key 并滥用您的应用程序/品牌/其他任何内容,我只是在吸引客户访问您的网站。我无法访问您的客户列表、数据、日志、记录等。如果您将经过身份验证的用户权限设置为不允许。 锁定您对客户列表、池信息、数据等的“管理员级别”权限。
示例(添加到您的 Statement
部分):
{
"Effect": "Deny",
"Action": [
"cognito-identity:CreateIdentityPool",
"cognito-identity:DeleteIdentityPool",
"cognito-identity:DeleteIdentities",
"cognito-identity:DescribeIdentity",
"cognito-identity:DescribeIdentityPool",
"cognito-identity:GetIdentityPoolRoles",
"cognito-identity:ListIdentities",
"cognito-identity:ListIdentityPools",
"cognito-identity:LookupDeveloperIdentity",
"cognito-identity:MergeDeveloperIdentities",
"cognito-identity:SetIdentityPoolRoles",
"cognito-identity:UnlinkDeveloperIdentity",
"cognito-identity:UpdateIdentityPool"
],
"Resource": [
"arn:aws:cognito-identity:us-east-1:ACCOUNT_DIGITS:identitypool/us-east-1:PoolID_NUMBERS"
]
}
或者恰恰相反:
{
"Effect": "Allow",
"Action": [
"cognito-identity:GetOpenIdTokenForDeveloperIdentity"
],
"Resource": "arn:aws:cognito-identity:us-east-1:ACCOUNT_DIGITS:identitypool/us-east-1:NUMBERS-NUMBERS-PoolID"
}
只需要 "cognito-identity:GetOpenIdTokenForDeveloperIdentity"
部分。
锁定您对内容的“用户级别”权限
例子:
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject" ],
"Resource": [
"arn:aws:s3:::[bucket]/[folder]/${cognito-identity.amazonaws.com:sub}/*"
]
}
作为一个明显的经验法则 - 只授予用户他们需要的权限。锁定您可能锁定的所有废话并使用策略模拟器。 结论一:
You can lock down all the things that would expose your client base and make it pointless for someone to 'hyjack' your site. Counter argument:
Ya, but what IF
Here is a doc that might help for IAM stuff And some more
第二:
问题:
The pre-authentication Lambda payload doesn't seem to include any request origin data, so I guess that isn't the way to do it.
响应:
Hmm.
回答:
Yes it does include request origin data - IF one sets it up.
问题:
I'm concerned that the AWS Cognito User Pools Javascript API doesn't seem to care which website requests are coming from
回答:
For this - you're correct. If you are using static served files with user pools triggers - there is little done to check origin.
因此 - 如果您真的想要 - 您可以使用 API Gateway to Lambda 设置所有这些。 这将从客户端移除与用户池的直接交互,并将其放在后端。
前言:
设置设置:
- 进入用户池并设置一个池
- 添加认知身份池
- 进入 Lambda 并将函数与 API 网关触发事件 Hook
- 输入您的代码 - 这是一个“登录”示例:
const
AWS = require( 'aws-sdk' ),
UserPool = new AWS.CognitoIdentityServiceProvider();
exports.handler = ( event, context, callback ) => {
console.log( event );
const params = {
AuthFlow: 'CUSTOM_AUTH',
ClientId: 'numbers',
AuthParameters: {
USERNAME: event.email,
PASSWORD: event.password
}
};
UserPool.initiateAuth( params, ( err, data ) => {
callback( err, data );
} );
};
在上面 - 是的,你可以做:
UserPool.initiateAuth( params, callback );
代替:
UserPool.initiateAuth( params, ( err, data ) => {
callback( err, data );
} );
但这会引发奇怪的错误 - GitHub 上已经有一个关于它的问题。
- 从 API 网关转到触发事件
- 点击您的方法并进入
Integration Request
部分 - 在底部你会看到
Body Mapping Templates
- 添加一个新的并放入
application/json
- 您应该会看到示例模板如下所示:
这是 Apache Template Velocity Language
- 不同于其他映射模板事物使用的 JSONScheme
语言:
#set($allParams = $input.params())
{
"body-json" : $input.json('$'),
"params" : {
#foreach($type in $allParams.keySet())
#set($params = $allParams.get($type))
"$type" : {
#foreach($paramName in $params.keySet())
"$paramName" : "$util.escapeJavaScript($params.get($paramName))"
#if($foreach.hasNext),#end
#end
}
#if($foreach.hasNext),#end
#end
},
"stage-variables" : {
#foreach($key in $stageVariables.keySet())
"$key" : "$util.escapeJavaScript($stageVariables.get($key))"
#if($foreach.hasNext),#end
#end
},
"context" : {
"account-id" : "$context.identity.accountId",
"api-id" : "$context.apiId",
"api-key" : "$context.identity.apiKey",
"authorizer-principal-id" : "$context.authorizer.principalId",
"caller" : "$context.identity.caller",
"cognito-authentication-provider" : "$context.identity.cognitoAuthenticationProvider",
"cognito-authentication-type" : "$context.identity.cognitoAuthenticationType",
"cognito-identity-id" : "$context.identity.cognitoIdentityId",
"cognito-identity-pool-id" : "$context.identity.cognitoIdentityPoolId",
"http-method" : "$context.httpMethod",
"stage" : "$context.stage",
"source-ip" : "$context.identity.sourceIp",
"user" : "$context.identity.user",
"user-agent" : "$context.identity.userAgent",
"user-arn" : "$context.identity.userArn",
"request-id" : "$context.requestId",
"resource-id" : "$context.resourceId",
"resource-path" : "$context.resourcePath"
}
}
通过这个,你可以获得source-ip
,cognito信息等。
此方法是一种用于锁定来源的安全方法。您可以通过在 Lambda 中执行 if
检查来检查来源,或者 IAM 条件 - 阻止来自其他来源的所有请求。
关于javascript - 限制 AWS Cognito 用户池 javascript api 的请求来源,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40187503/