You can read more about how the customer_reference is critical for your integration working properly and securely in the customer references section. If the customer_reference you provide for a user in your system changes, Cognito cannot enforce this access control. Your customer_reference must be unique and persistent per-userĬognito uses the customer_reference to enforce that each of your customers can only complete their Flow once unless you authorize retries. An attacker could easily send many different values to this endpoint and create unique Flow sessions with them in order to subvert the compliance and anti-fraud checks Flow provides you. This is insecure for the similar reasons to the first checklist item. Another approach might be to implement an internal API endpoint like /api/users/current/flow_signature which computes the signature based on the user id associated with the current users session.Īn insecure approach would be providing an internal API endpoint like /api/compute_signature which accepts a value for the backend to sign. ![]() One approach would be to compute the signature on each page load using the current user's id and render it directly into the page. How you serve the signature from your backend is up to you. Your users should not be able to generate signatures for anything besides their own id. If we detect API secrets exposed in insecure settings, we will immediately revoke the keys, which will break your integration. Computing the signature on the frontend would expose your API secret to the world, giving anyone the ability to access all of the sensitive data associated with your Cognito account. Your application's backend should compute the Flow signature, then serve it to your frontend. Security checklist for signed requestsīefore you go move on, review this checklist to make sure you're keeping your users secureįlow signatures should only be computed on your backend. Flow will log to console.error if it detect an integration issue like an invalid signature. ![]() If it doesn't, check the browser's developer console for error messages. If your signature is correct, the Flow modal should open like it did before. Once you've updated your code, try launching Flow again like you did before we added signature. Where currentUser.flowSignature is the value of the signature computed using your API secret and currentUser.id. You should now update your Flow initialization code to look like this: Once you've got your customer referencing signing code implemented, we can shift our focus back to the frontend. If you need help generating your signature, please feel free to email Providing your signature to Flow Puts signature # => yw0hqBPOIWcHPFZBsaMPnxktOrWwWkZcWP+TneV5D48= In Ruby, we would compute the signature with this code: require 'openssl' require 'base64' def sign_customer_reference ( api_secret:, customer_reference: ) digest =Īpi_secret: 'live_secret_abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234' ,Ĭustomer_reference: "3a409367-a417-4d46-9a92-3d7bc5dc4605" ) TIP: Try confirming that your signature function outputs the same value as the example above before you move on to using real customer ids with your actual secret! The correct signature for these values would be yw0hqBPOIWcHPFZBsaMPnxktOrWwWkZcWP+TneV5D48=. We realize that's a mouthful, so for example, imagine we are using these values for our integration: Using your API secret in the backend part of your application, create a Base64 encoded SHA-256 HMAC signature of the user identifier that you're passing to the customerReference field for Flow. To access your API secret, visit the "API Keys" tab in the integration settings modal you used earlier. NOTE: Without signing the customer_reference field, your Flow integration will stop working after you've created 100 Flow sessions. The code we've written so far is for helping you try out Flow in your app quickly, but to deploy Flow live to your customers you need to cryptographically sign the customer_reference field using your API secret. ![]() Securing your Flow integration How to take the next step and ensure your Flow is secure
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |