Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Provide a way to prevent authorization tokens from presenting in query string on GraphQL websockets #278

Open
neilferreira opened this issue Mar 31, 2023 · 1 comment
Open

[Feature Request] Provide a way to prevent authorization tokens from presenting in query string on GraphQL websockets #278

neilferreira opened this issue Mar 31, 2023 · 1 comment
Labels
feature-request New feature or request

Comments

@neilferreira
Copy link

Issue

Our usage of AWS AppSync's WebSockets implementation currently means we’re sending Cognito JWTs using query string parameters to the AWS AppSync GraphQL endpoint.

As per the AWS Documentation, to use AppSync’s GraphQL to connect and initiate a successful handshake with AWS AppSync, a WebSocket client needs the following:

  • The AWS AppSync real-time endpoint
  • A query string that contains header and payload parameters:
    • header: Contains information relevant to the AWS AppSync endpoint and authorization. This is a base64-encoded string from a stringified JSON object. The JSON object content varies depending on the authorization mode.
    • payload: Base64-encoded string of payload.

With these requirements, a WebSocket client can connect to the URL containing the real-time endpoint with the query string, using graphql-ws as the WebSocket protocol.

This approach is advised against according to some relevant OWASP framework rules and security best practices.

Potential Solution

Given that this existing flow is critical to using AWS AppSync, I don’t believe we could change how this initial handshake works by changing how we use the Amplify SDK. From reading into it further, the WebSocket API in JavaScript does not support adding custom headers. The article below states that the general rules of not including credentials in query strings do not apply to WSS.

I would assume that given the general sentiment about it “being ok” to pass credentials in the query string AWS has opted to follow this approach.

According to this article a standard method to overcome this limitation in the WebSockets API is for API maintainers to implement a "ticketing" system.
@onlybakam onlybakam added the feature-request New feature or request label May 1, 2023
@coolaqua23
Copy link

Any timelines on when will this be implemented? We are also running into same issue with auth token logged in logs as it is part of query param.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@onlybakam @neilferreira @coolaqua23