CookieStorage with httpOnly 2021 edition

[philipjames44]

Is your feature request related to a problem? Please describe.
Yes, amplify should support httpOnly cookie setting via Cognito to prevent a user from manually having to create httpOnly cookies to prevent XSS attacks, and so that using a custom API does not require the user to store JWTs in localStorage.

Describe the solution you'd like
Boolean flag to add httpOnly cookie in cookieStorage by leveraging the backend infra of Cognito.

Describe alternatives you've considered
Creating my own cookies. I cannot store my relevant cookies server side or use API gateway so it must be stored securely on the client. I can use localStorage to store JWTs but httpOnly cookies are the more secure solution.

Additional context
This is a follow up on #3224, which I believe was closed prematurely.

[philipjames44]

Bump.

[Eduard-Hasa]

Bump. Much needed now especially with nextjs 12 middleware authentication capabilities

[justinphilpott]

Curious if anything will happen with this...

[moneebalalfi]

@justinphilpott Me too! found something! ?

[fab-mindflow]

Bump too.

[JoeyAtSS]

Bump

[davemooreuws]

Hey all,

I have decided to create a httpOnly cookie solution for amplify auth. @philipjames44

Feel free to check it out: https://github.com/nitrictech/amplify-secure-js

It's new and we are open to contributors.

[ovidb]

We've ended up using patch-package to modify the AWS Amplify library to support this but it becomes one of those things you have to remember about when you update Amplify. An official solution to this would actually make a lot of sense.

[philipjames44]

This really feels like it should exist out of the box. We've since created our own solution for this problem, but it is ridiculous amplify is offered as a product without http only cookies

[parthNJ]

Please bump this up, this is one of the most frustrating things I've encounter. If possible, please amplify team add the HttpOnly flag.

[abdallahshaban557]

Hello Everyone, we understand this it is frustrating that we do not have this feature available from AWS Amplify and Amazon Cognito. We do not have an immediate solution to this issue, however, we are discussing internally what we can do to support this in a future iteration of our Amplify Auth category.