Is the user information in account-management.service.ts secure?

[wollerman]

After a user signs in, it seems that everything is just saved to local storage:
https://github.com/awslabs/aws-serverless-auth-reference-app/blob/master/app/src/services/account-management.service.ts#L368

Which looks to be the standard javascript localstorage:
https://github.com/awslabs/aws-serverless-auth-reference-app/blob/master/app/src/services/account-management.service.ts#L560

Is this secure? I was surprised to find these keys and tokens being set to default storage. It seems to defeat the purpose and power of cognito by storing the AWS secret access key here.

From what I can tell, best practice is to use local storage. I guess the big issue is storing that particular key and not just the JWT. If this isn't best practice, can you help point me in the direction of how to use cognito and not compromise the user?

Thanks!