navigator.userAgent in CognitoUser.js is raising a Chrome Audit notification

[jrobbins-LiveData]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Not applicable

Amplify APIs

Not applicable

Amplify Categories

No response

Environment information

# Put output below this line
  System:
    OS: Windows 10 10.0.19044
    CPU: (8) x64 11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz
    Memory: 5.15 GB / 31.73 GB
  Binaries:
    Node: 16.6.1 - C:\Program Files\nodejs\node.EXE
    Yarn: 1.22.18 - ~\AppData\Roaming\npm\yarn.CMD
    npm: 8.5.3 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: Spartan (44.19041.1266.0), Chromium (102.0.1245.30)
    Internet Explorer: 11.0.19041.1566
  npmPackages:
    cdk-dia: ^0.6.1 => 0.6.1
  npmGlobalPackages:
    @aws-amplify/cli: 7.6.19
    @mhlabs/cfn-diagram: 1.1.33
    @openapitools/openapi-generator-cli: 2.5.1
    aws-cdk: 2.26.0
    npm: 8.5.3
    python: 0.0.4
    serve: 13.0.2
    yarn: 1.22.18

Describe the bug

amplify-js/packages/amazon-cognito-identity-js/src/CognitoUser.js

Line 62 in 1b18862

const userAgent = isBrowser ? navigator.userAgent : 'nodejs';

triggers Audit usage of navigator.userAgent, navigator.appVersion, and navigator.platform from Chrome.

Expected behavior

Following Chrome's suggestion "To fix this issue, replace the usage of navigator.userAgent, navigator.appVersion, and navigator.platform with feature detection, progressive enhancement, or migrate to navigator.userAgentData." should result in removing this flagged "Audit Issue", reducing concerns from security reviews and audits about amazon-cognito-identity.js.

Reproduction steps

Any web app using amazon-cognito-identity.js should exhibit the Audit Issue.

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

While amazon-cognito-identity.js's use of navigator.userAgent in CognitoUser.js appears safe with respect to the announcing browser "reduction" (https://www.chromium.org/updates/ua-reduction/#reduced-navigatoruseragent-values), such Audit Issues cause concern for those of us using Cognito in secure environments with apps subject to security reviews and audits. Rather than having to give a lengthy explanation why this particular Audit Issue isn't really a concern, it is much much easier to not have to explain it to begin with!

There is hopefully an alternative way for the code to determine the DeviceName rather than using this property.

[chrisbonifacio]

Hi @jrobbins-LiveData 👋 thank you for raising this issue.

We were able to consistently reproduce the issue as you mentioned and the team will be looking into how it can be addressed within our library. We've noted the mention of a User Agent Client Hints API, which according to Chromium, will help to solve the problems of browser fingerprinting and complex string parsing.

[jrobbins-LiveData]

Hi @chrisbonifacio. I worry about the apparent lack of cross-browser support for that API, at least as listed here. But if you restrict its use to only when running on Chrome, that would work. (Sorry if that is obvious!)

[chrisbonifacio]

@jrobbins-LiveData that's a good point. We could make it backwards compatible until browser support is better by checking for navigator.userAgentData first and, if not found, fallback to navigator.userAgent.

if (navigator.userAgentData) {
  // use new hints
} else {
  // fall back to user-agent string
}

[nickarocho]

I'm also able to consistently reproduce the issue with a super simple implementation of amazon-cognito-identity-js in a React app.

I'll begin looking into solutions and will keep you updated along the way. Thanks for pointing this out, @jrobbins-LiveData!

[nadetastic]

With the release of the latest major version of Amplify (aws-amplify@>6), this issue should now be resolved! Please refer to our release announcement, migration guide, and documentation for more information.