1

I am doing the following in my React/Node App:

  1. Using the User Pools for a Cognito App that I have created
  2. Calling the /login endpoint with response_type=token in my React App
  3. Once I receive the JWT token, I pass it to my node/express server in a header (my server is using ssl)
  4. On the Node server, using cognito-express package to call cognitoExpress.validate(accessTokenFromClient, callback) to validate the token
  5. If the call is successful, saving the user details (email etc) and the jwt in localStorage in the React App

And then, for every call to my server, I am repeating steps 3 and 4 above (validating jwt) to ensure that the user is Authenticated.

My concerns with the above approach is:

  1. I am unsure if the cognito-express is actually calling Cognito, or is it just decoding the jwt and making a decision on its validity locally

  2. I tried leaving the session open overnight, and I expected that the call to cognitoExpress.validate(accessTokenFromClient, callback) would fail (because the jwt expires in a hour), but it didnt. Does this mean that an expired jwt token is considered as a valid claim

  3. If the user was Authenticated and his JWT has expired, how do I refresh the JWT without asking him to login again?

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
Amarsh
  • 113
  • 3

1 Answers1

0
  1. The cognito-express calls Cognito to get public JSON Web Key (jwks.json) from your user pool which it then uses to validate your JWT. The address is derived from your pool-id and region you provide to the library.
  2. As far as I can tell this appears to be a bug in cognito-express. The number they pass in maxAge option is supposed to be in milliseconds but the library they use (node-jsonwebtoken) says a numeric value gives the expiration in seconds. Might want to raise an issue at their github site to clear this up.
  3. You should have received a refresh token along with access token when first logging in. You should pass this refresh token to Cognito to receive a new access-token as mentioned in the documentation. You'll have to do this yourself as cognito-express doesn't handle this part. Basically you'll need to keep track of the expiration in your app and make a call to Cognito at or slightly before expiration.
AlphaD
  • 873
  • 6
  • 11
  • What if someone mischievously stealing the presumably never-expiring refresh token? With access to the refresh token, that person can request a new set of access and refresh tokens whenever he/she wants. – Puneet Pandey May 04 '21 at 06:34
  • Was wondering if getting hold of the refresh token is any different from getting hold of the plain user credentials. In fact, exposing the user credentials is a safer bet given that credentials update in the future will invalidate the stolen credentials. Refresh token, on the other hand, is always going to be a valid token, and therefore, always going to fetch a new set of access and refresh tokens. – Puneet Pandey May 04 '21 at 06:42
  • @PuneetPandey In most cases refresh token is revokable at the database level and do come with an expiry. Though if you have reservations of the refresh token system you should ask that as a question; the OP here is using Amazon's Cognito service. – AlphaD May 04 '21 at 07:02
  • I have asked a question regarding this. Please check and provide your suggestions. https://security.stackexchange.com/q/248993/78981 – Puneet Pandey May 04 '21 at 07:28