Disabled users in AWS Amplify Cognito still can access to data in the API
Question
Graphql Api and Auth added on a brand new project.
I go to Amplify console -> myapp -> api -> GraphQL API and click on View in AppSync.On the run query part, I run A sample query like this:
{
listTodos {
items {
name
}
}
}
And the response is a UnauthorizedException. This is expected and working right.
Then, if I log in with a cognito user, the response is some example TODOS. This is also fine.
If I go to Cognito and disable the user, I can still run the query. I was a expecting an unauthorized or something else than actually being able to query for my data (as the user is disabled ).
1 answers
solution1
1 2020-06-06 03:01:00
Cognito access and ID tokens are valid for one hour from the time they are issued . As long as the user's token is still valid and unexpired, they will be authorized to access the GraphQL API regardless of the user's existence .
Cognito does not offer the ability to revoke access/ID tokens , although the refresh token can be revoked immediately using the GlobalSignOut API call.
One workaround for this limitation is custom logic which can be implemented within your application to verify if the user exists within the user pool/is in a valid state prior to initiating the request with the GraphQL API.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.