Creating a login with AWS cognito and javascript

Question

I am creating a login page. The idea is to take the username and password then use that to get an id token from AWS cognito user pool.

Then I need to store the token in a database and transfer that token to index.html along with the username. This is because index.html needs the token to make a post request to an API gateway using the same id token and it needs to know the user name to keep track of which user is currently logged in.

Now the index.html has to check if the token transferred to it matches the token in the database or not.

If it does and the token is not expired, then there is no redirection, otherwise, the index.html redirects to login.html.

The problem is my back-end completely relies on Amazon Lambda functions and API gateways because my company does not want me to use any back-end language. Now, I found that lambda functions could not set browser cookies nor read browser cookies.

This left me no choice but to use javascript cookies, sessions and local storage to transfer the token and username to index.html. However, this approach is considered to be insecure.

There aren't any tutorials on a secure login system using cognito.

Note: Any other secure login system will do the work, but remember I need to pass username and password to user pool to get an ID token which means, if I use any other login method, then I would now need to pass username and password both to index so that index can make a request to user pool to get an id token and make a request to the API gateway.

Now my question is, is there a way to actually transfer data to index from login without compromising security? Can I use lambdas in any other way to transfer the tokens?

Please help. Thanks in advance.

Answer 1

Now, I found that lambda functions could not set browser cookies nor read browser cookies.

I don't think this is strictly true.

Using Lambda Proxy Integration gives your Lambda function visibility into and control over many aspects of the HTTP request. This includes setting and reading arbitrary headers (including set-cookie).

To demonstrate, you can set a function like this up and attach an API Gateway trigger (with Lambda Proxy Integration enabled) to it:

exports.handler = (event, context, callback) => {
    var returnobj = {
        "statusCode": 200,
        "headers": {
            "Content-Type": "application/json", "access-control-allow-origin": "*", 
            "Set-Cookie": "testcook=testval; path=/; domain=xxxxxxxxxx.execute-api.us-east-1.amazonaws.com; secure; HttpOnly"
        }, 
        "body": JSON.stringify({})
    };
    console.log("headers", event.headers.Cookie);
    callback(null, returnobj);
};

This function returns a Set-Cookie header that the browser will respect and send along with future requests to this domain. If you hit this in a browser twice, you'll see the cookie sent by the browser and logged by the lambda on the second request.

If you aren't willing to use Lambda Proxy Integration, you can probably still pull this off by mapping part of your Lambda response to a header in API Gateway.