feat(auth): Implement secure httpOnly cookie authentication for Okta#1920
Open
arjunp99 wants to merge 3 commits intodata-dot-all:mainfrom
Open
feat(auth): Implement secure httpOnly cookie authentication for Okta#1920arjunp99 wants to merge 3 commits intodata-dot-all:mainfrom
arjunp99 wants to merge 3 commits intodata-dot-all:mainfrom
Conversation
Replace localStorage token storage with httpOnly cookies to prevent XSS attacks. Implements custom PKCE flow for Okta authentication while maintaining existing Cognito/Amplify behavior unchanged. Changes: - Add PKCE utility for secure OAuth code exchange - Add Callback view for handling OAuth redirects - Add backend auth_handler for token exchange endpoints - Update GenericAuthContext with cookie-based auth for Okta - Update useClient to work without Authorization header for Okta - Configure CloudFront to proxy /auth/*, /graphql/*, /search/* paths - Update Lambda API with auth endpoints and CORS for cookies - Update custom authorizer to read tokens from Cookie header Security improvements: - Tokens stored in httpOnly cookies (not accessible via JavaScript) - SameSite=Lax prevents CSRF while allowing OAuth redirects - Secure flag ensures HTTPS-only transmission
Security improvements: - Add structured logging with sanitized error messages - Remove hardcoded CloudFront URL fallback (requires proper config) - Move SimpleCookie import to module level for better performance Frontend enhancements: - Add 30-second timeout to token exchange requests - Fix useEffect dependency array in useClient hook - Implement OAuth callback handler with PKCE validation Infrastructure updates: - Configure auth handler Lambda for cookie-based authentication - Add API Gateway routes for token exchange, logout, and userinfo - Improve CloudFront URL parsing documentation All changes pass Ruff linting and formatting checks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace localStorage token storage with httpOnly cookies to prevent XSS attacks for Okta authentication. This implements a custom PKCE flow while maintaining existing Cognito/Amplify behavior unchanged.
Security Improvements
Changes
Frontend
frontend/src/utils/pkce.js- PKCE utility for secure OAuth code exchangefrontend/src/authentication/views/Callback.js- OAuth callback handlerfrontend/src/authentication/contexts/GenericAuthContext.js- Cookie-based auth for Oktafrontend/src/services/hooks/useClient.js- Relative URLs + credentials for cookiesfrontend/src/routes.js- Added /callback routeBackend
backend/auth_handler.py- Token exchange, userinfo, logout endpointsdeploy/stacks/lambda_api.py- Auth handler Lambda + API routesdeploy/stacks/cloudfront.py- Proxy /auth/, /graphql/, /search/* to API Gatewaydeploy/custom_resources/custom_authorizer/custom_authorizer_lambda.py- Read tokens from Cookie headerHow It Works
Backward Compatibility