1

Server-based apps check for a session cookie before returning any content to the user. If an authentication cookie isn't sent from the user's browser, the only content delivered to the user is a redirect/error message.

I'm new to server-less apps. In the several Javascript S3/Cognito-based tutorials I saw (for example AWS' WildRydes), this authentication is client-based. It's triggered only after the entire page has loaded and then redirects to a login page.

Isn't that a fundamental flaw? what stops an unauthenticated user from viewing the page before the redirect?

David_Springfield
  • 184
  • 10
  • The fact that the redirect happens after the page loads doesn't necessarily mean any sensitive data was sent to the user. – multithr3at3d Sep 09 '19 at 22:34
  • It may help to realize that Amazon's use of "_serverless_" is more marketing than technical... it doesn't mean that no servers are involved, just that you don't have to worry about providing, maintaining, load-balancing etc. the servers yourself... this is all done "magically" by Amazon. The "back-end components" (compute, storage, API etc.) that you use will be running on Amazon's servers and will be using sessions cookies (or similar) to control and authenticate access. – TripeHound Sep 10 '19 at 13:04

2 Answers2

1

The page itself will generally be HTML, javascript and CSS, which are all statically stored in an S3 bucket. Hence the user could figure out what features are available on the page without ever logging in by inspecting the contents of the files -- but they would not be able to execute that functionality, as each API endpoint would be protected to ensure only authorized users could perform actions.

So you might figure out that there is a POST message to be sent to /api/v1/order for making an order -- but you wouldn't be able to successfully make the order without an access token with the corresponding authority.

By downloading the entire javascript, all GUI elements get executed client side, and generally feel snappy -- however this doesn't reduce the security of the overall application.

keithRozario
  • 3,571
  • 2
  • 12
  • 24
0

The real thing here is frontend & backend.

It is fine to load the full frontend (even, your javascript code will usually contain the Admin pages layout).

This is just UI/UX.

The real sensitive data/actions lie in the backend: read/write access to the actual database(s).

There is no issue with knowing that the admin interface has a button that starts this action (and it can be understood from the javascript code, and can be made harder to do so by obfuscating it) as long as any non-authenticated request to the backend server is rejected. That way, you have no read/write leak of any form, and the assets are secure.

Qortex
  • 321
  • 2
  • 9