Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
@aws_auth directive does not grant full access to query with multiple data sources
See original GitHub issueDescribe the bug
When adding the @aws_auth directive to a specific Query, the user group does not get full access to all the attributes in the query
To Reproduce
- Create the following schema:
type Node {
node_id: String!
node_name: String
location_id: String
location_name: String
}
type Location {
location_id: String
location_name: String
}
type Query {
getNode(node_id: String!): Node
}
The node_id, node_name and location_id fields are native fields within a DynamoDB table called Nodes, while the location_id and location_name fields are native to another DynamoDB table called Locations.
- Add a custom resolver the for the location_name field, since we want to fetch back the location_name along with a query for nodes.
Data Source: Locations
Request Mapping Template
{
"version" : "2017-02-28",
"operation" : "Scan",
"filter" : {
"expression" : "location_id= :location_id",
"expressionValues" : {
":location_id" : { "S" : "${ctx.source.location_id}" }
}
}
}
Response Mapping Template
$util.toJson($ctx.result.items[0].location_name)
-
Select Authorization type as Amazon Cognito User Pool.
-
Under User Pool configuration, select default action: DENY.
-
Add the @aws_auth directive to the query
type Query {
getNode(node_id: String!): Node
@aws_auth(cognito_groups: ["Users"])
}
- Query getNode via the Queries console.
Expected behavior We get back the full record for the node. Instead, we get back the data for the node_id, node_name and location_id fields, but cannot resolve the location_name:
{
"data": {
"getNode": {
"node_id": "111",
"location_name": "ABC"
"node_name": "Apple"
}
},
"errors": [
{
"path": [
"getNode",
"location_name"
],
"data": null,
"errorType": "Unauthorized",
"errorInfo": null,
"locations": [
{
"line": 4,
"column": 5,
"sourceName": null
}
],
"message": "Not Authorized to access location_name on type Node"
}
]
}
Additional context Any explanation on how exactly the @aws_auth directives work would be helpful. There seems to be limited documentation on this. Thank you!
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
When specifying the default action of DENY then you must explicitly allow access on the field. You may also set this value to ALLOW and I believe the full object should come back as expected.
Thank you @mikeparisstuff. Useful to know that we must explicitly allow access on custom-resolver fields, if we are using the DENY action.