Menu
I'm using the client-side Cognito Javascript SDK. Part of the setup requires configuring region, UserPoolId, ClientId, and identityPoolId. During testing, I'm including the data via a separate file that users could look through and use to discover these Cognito ids.
Is it safe to expose these ids to the end user?
Otherwise, how do I do this safely?
789
There's a post by AWS on their forums that addresses this.
Please note that with userPoolId and clientId, only unauthenticated APIs can be called, for eg: SignUp, authenticate, forgotPassword etc. So userPoolId and clientId alone are not enough to do any malicious activity on your user pool.
Source is https://forums.aws.amazon.com/thread.jspa?threadID=245752&tstart=200
An alternative is to use API Gateway with the Cognito authorizer for handling calls to other back-end services (like DynamoDB or S3) instead of using those directly from the front-end js. That's described here:
https://aws.amazon.com/blogs/mobile/aws-mobile-app-backend-with-hybrid-apps/
79
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
