Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pipeline resolver field-level authorization

See original GitHub issue

Which Category is your question related to? AppSync

Amplify CLI Version 4.13.1

What AWS Services are you utilizing? AppSync, DynamoDB

Provide additional details e.g. code snippets Is it possible to use pipeline resolvers for field-level authorization? All of the tutorials and documentation I’ve run across so far show how to do an authorization check and then return either an unauthorized error or the entire query result, like this:

#if(## authorization check logic goes here)
    $util.unauthorized()
#end 

$util.toJson($ctx.result)

I’m wondering if it’s possible to return only some of the dynamo record fields from the result, depending on the outcome of the authorization check.

Issue Analytics

State:
Created 3 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

1reaction

SwaySwaycommented, May 18, 2020

Hello @sopranolinist Another potential solution would be to use a lambda function to handle this authorization logic you are looking for. When chaining this directive on the same field will create a pipeline resolver for the field. Function Docs here: https://docs.amplify.aws/cli/graphql-transformer/directives#function

type User @model {
  id: ID!
  name: String
  email: AWSEmail
  ssn: String @function(name: "myAuthFunction")
}

1reaction

SwaySwaycommented, May 15, 2020

One potential way to address this would be to use the @auth, a directive provided as a part of the GraphQL Transformer. Docs here on @auth: https://docs.amplify.aws/cli/graphql-transformer/directives#field-level-authorization

An example of the usecase you provided could be something like the following

type User @model @auth(rules: [
  { allow: groups, groups: ["Mananger, Employee"] }
]) {
  id: ID!
  name: String
  email: AWSEmail
  # only a manager has access of this field
  ssn: String @auth(rules: [{ allow: groups, groups: ["Manager"] }])
}

Top Results From Across the Web

Pipeline resolvers (VTL) - AWS AppSync

Pipeline resolvers are useful for applications that, for instance, require performing an authorization check before fetching data for a field.

API (GraphQL) - Custom business logic (Lambda function ...

Secure your custom query or mutation with field-level authorization rules ... To create a pipeline resolver that calls to multiple AWS Lambda functions...

How to use Lambda authorization with AppSync

Authorization in AppSync. AppSync supports several ways for authorization, such as Cognito, AWS IAM, API key, and a custom Lambda function.

How to check permissions of an entity on create in appsync

Specifically, you are able to use AppSync pipeline resolvers to perform the authorization check before creating the note.

Amplify GraphQL Lambda @function Resolvers - Isaac - Medium

Traditional Pre/Post Resolver Pipeline with Lambda Configuration ... for our use case since we no longer had to rely on field level @auth....