Amplify-cli: Pipeline resolver field-level authorization
Which Category is your question related to?
AppSync
Amplify CLI Version
4.13.1
What AWS Services are you utilizing?
AppSync, DynamoDB
Provide additional details e.g. code snippets
Is it possible to use pipeline resolvers for field-level authorization? All of the tutorials and documentation I've run across so far show how to do an authorization check and then return either an unauthorized error or the entire query result, like this:
#if(## authorization check logic goes here)
$util.unauthorized()
#end
$util.toJson($ctx.result)
I'm wondering if it's possible to return only some of the dynamo record fields from the result, depending on the outcome of the authorization check.
sopranolinist
All 8 comments
Currently the CLI does not support Pipeline Resolvers. RFC here: https://github.com/aws-amplify/amplify-cli/issues/4262
If you are looking at filtering the results being returned from the DynamoDB there are a few ways to do this. One potential solution would be it to add authorization logic in the response resolver to edit the fields being returned.
#foreach( $item in $ctx.result.items )
## authorization check logic goes here
#end
SwaySway
on 14 May 2020
@SwaySway Thanks for the response. Where can I find out more about field-level authorization in pipeline resolvers? I'm specifically looking for a way to remove certain boolean fields from the results that are returned.
sopranolinist
on 14 May 2020
Could you elaborate on your usecase and the need for pipeline resolvers?
SwaySway
on 14 May 2020
@SwaySway I'm looking for a way to authorize appsync queries/mutations at the field level based on a dynamo table lookup. For example, if a user has a MANAGER role in the User table, then return all fields from a Projects table query, but if user has EMPLOYEE role in the User table only return certain fields from a Projects table query. AppSync doesn't support custom directives, so I was looking into pipeline resolvers as an alternative. I read that amplify allows custom graphql transform packages, but I was hoping to find a solution that isn't amplify-specific.
sopranolinist
on 15 May 2020
One potential way to address this would be to use the @auth, a directive provided as a part of the GraphQL Transformer.
Docs here on @auth: https://docs.amplify.aws/cli/graphql-transformer/directives#field-level-authorization
An example of the usecase you provided could be something like the following
type User @model @auth(rules: [
{ allow: groups, groups: ["Mananger, Employee"] }
]) {
id: ID!
name: String
email: AWSEmail
# only a manager has access of this field
ssn: String @auth(rules: [{ allow: groups, groups: ["Manager"] }])
}
@SwaySway The groups in your solution are Cognito groups, aren't they? I'd like to be able to do this without using Cognito groups, because that would be yet another resource to manage. It would be great if I could leverage the table of roles that I already have.
sopranolinist
on 15 May 2020
Hello @sopranolinist
Another potential solution would be to use a lambda function to handle this authorization logic you are looking for. When chaining this directive on the same field will create a pipeline resolver for the field. Function Docs here: https://docs.amplify.aws/cli/graphql-transformer/directives#function
type User @model {
id: ID!
name: String
email: AWSEmail
ssn: String @function(name: "myAuthFunction")
}
@SwaySway I'll look into that, thank you very much for continuing to respond.
sopranolinist
on 19 May 2020
Related issues
jkeys-ecg-nmsu
路
3Comments
MageMasher
路
3Comments
mwarger
路
3Comments
kangks
路
3Comments
onlybakam
路
3Comments