1

Context

I am working on a simple React app with a GraphQL backend, all hosted on AWS. I have custom authentication setup for GraphQL, using AWS Lambda, where each call to GraphQL contains a query or mutation, relevant variables, and the logged-in users' JWT token. Inside the lambda function, I verify the token; if the token is valid, I have logic to determine if the user can access the data they're requesting; if not, I deny all access. Currently, users' JWT token are exposed in the GraphQL call.

The code that sends the token is below, where lambdaAuthToken is the JWT token.

import { API } from "aws-amplify";
import { GRAPHQL_AUTH_MODE } from "@aws-amplify/api";

const graphQLAuthMode = GRAPHQL_AUTH_MODE.AWS_LAMBDA;

export default async function fetchData(
  queryTemplate,
  queryVars,
  lambdaAuthToken
) {
  let response = [];
  try {
    response = await API.graphql({
      query: queryTemplate,
      variables: queryVars,
      authMode: graphQLAuthMode,
      authToken: lambdaAuthToken,
    });
    console.log(response);
  } catch (err) {
    console.log("Error fetching data.");
    console.log(err);
  }

  return response;
}

Question(s)

Are there any security vulnerabilities with sending an unencrypted JWT token over the network? And if so, what might be an appropriate AWS-based encryption scheme to protect the token in transmission? (I'm working in React JS on the front-end, but my custom authentication lambda is in Python.)

Similar questions

I did see the following questions, but did not take any of them to address my questions here.

sonny
  • 313
  • 3
  • 11
  • How is the token being sent "over the network"? Are you sending it via HTTPS? If so, it is already being encrypted while being sent.. – John Rotenstein Mar 15 '23 at 05:01
  • @JohnRotenstein, I believe so? The web app address begins with `https://`. For clarity, I've also edited the question to add the specific code that send the GraphQL request. – sonny Mar 15 '23 at 05:10

1 Answers1

1

Don't bother yourself with encrypting JWTs. Encryption is hard and you can easily misconfigure it. It also takes more CPU and memory resources as you will have to make a lot of encryption and decryption operations.

Instead, make sure that:

  • you always send tokens over HTTPS, in which case they are already encrypted in transit
  • you don't store tokens in databases for a longer time than necessary. Usually, you will not need to store them at all.

You can also verify what claims end up in your tokens. Try not to include sensitive things like social security numbers, medical information, or financial information.

Remember that encrypting a token only protects the token's content from eavesdroppers. If someone manages to intercept an encrypted token they won't be able to read claim values, but they still will be able to call your APIs with that token.

Michal Trojanowski
  • 10,641
  • 2
  • 22
  • 41