Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/collaborne/aws-serverless-cognito-passwordless-auth-poc


https://github.com/collaborne/aws-serverless-cognito-passwordless-auth-poc

Last synced: 6 days ago
JSON representation

Awesome Lists containing this project

README

        

# aws-serverless-cognito-passwordless-auth-poc

A POC demonstrating how to create passwordless authentication system using AWS Cognito, Lambda and the Serverless framework.

The repository has two parts:
- the `backend` developed with serverless, aws and typescript and
- the `client` developed using react and typescript bootstrapped with [vite](https://vitejs.dev/).

## Download repository

```
git clone [email protected]:Collaborne/aws-serverless-cognito-passwordless-auth-poc.git
cd aws-serverless-cognito-passwordless-auth-poc
```
## Backend
#### 1. Install dependencies
```
cd backend
npm install
```

#### 2. Set up environment
- Open the `serverless.yml` file
- Set your values for:
- provider.profile (serverlessUser)
- provider.region
- custom.emailFrom
#### 3. Build and deploy
```
npm run build
npx serverless deploy
```

#### 4 Get auth credentials
- Run `npx sls info --verbose` to get the values of `UserPoolClientId`, `UserPoolId` and `ServiceEndpoint` (You will need these for the client).

## Client
#### 1 Install dependencies
```
cd client
npm install
```

#### 2 Set environment variables
- Create a `.env` from the `.env.example` template
- Set the values of `VITE_REGION`,
`VITE_USER_POOL_ID` and
`VITE_USER_POOL_WEB_CLIENT_ID` (These are the values you get from step 4 above).
#### 3. Run the web app
```
npm run dev
```
- In a browser, open the sign up page at `http://localhost:5173/sign-up` and you can sign in from `http://localhost:5173/sign-in`

### Issues
The authentication process is not secured since only an email is required to register and login. The implication of this is that any email can be used to register and the knowledge of someone's email can get me access to their account (since emails are not private entities).

### Suggestions
There should be a limit of operations that can be performed by users with this type of authentication. Deleting and Editing should be restricted to users with more secure authentication methods.