#✅ - Using Cognito groups for page access safety concern?

Hi I use this to check if the user has a specific group. To render specific sub pages for them.

const user_groups = user.signInUserSession.accessToken.payload['cognito:groups'];
              
              try {
                if (user_groups.includes("Manager")){
                  show_manager_page = true
                }
                if (user_groups.includes("humanRessource")){
                  show_humanRessource_page = true
                }
              } catch (TypeError) {
                console.log("NO ACCESS TO ADDITIONAL PAGES");
              }```

My question is if this could be bypassed by someone with malicious intent?

Using Cognito groups for page access safety concern?

You should always secure the API endpoints with backend side logic and not rely on the frontend only.

Hey thank you for your answer! I checked so many Docu pages and Posts but its not really easy to find! Do you know any guidlines or tutorials where i can read up on that topic?

One way a malicious user might attempt to bypass access control is by trying to modify the user's group membership in the access token. However, the access token is signed by the Amazon Cognito service, and any attempt to modify the token will result in an invalid signature, causing the authentication process to fail. Doesn't that mean this should be save?

Sorry I dont have a reference for you. If you are using the Amplify managed groups and they are reflected in all IAM policies than you are fine but if you use the same API endpoint for multiple groups and you may need to runs some validations within your API endpoint code.

✅ - Using Cognito groups for page access safety concern?