Amplify-js: How to find if current user has Administrative Action access?

Created on 3 Nov 2019  路  6Comments  路  Source: aws-amplify/amplify-js

Is your feature request related to a problem? Please describe.
I have implemented admin group for users. They have access to administrative actions. But to find out if the user has admin access I have to make request to AdminQueries API. When that fails I consider that this user doesn't have admin access. There is no other way to find out if the user has admin access or not. If that network request succeeds then I made network request for absolutely no reason. I just wanted to hide some UI for non admin users.

Describe the solution you'd like
On login or on current authenticated user if the CognitoUser can tell me if that user has access to AdminQuery API then I can hide or show some UI without making network request.

Describe alternatives you've considered
Alternatively I am making network request to see if I have admin access. That result is not needed for homepage screen. So its waste of request.

question
Source
picture apoorvmote

All 6 comments

You can add an isAdmin attribute to the token and check that on the client. You'll need to scan your pool and update all users.

You can also add a sign up trigger to padd the isAdmin attribute to your admin users when they sign up.

jkeys-ecg-nmsu picture jkeys-ecg-nmsu on 3 Nov 2019

Instead of scanning the pool, one thing you could do is add the isAdmin attribute and edit the Lambda function which is invoked by the AdminQueries API so that whenever you add a user to your Admin group (or whatever you name the group) with addUserToGroup you also set that attribute to TRUE. You could also edit the route for removeUserFromGroup to set it to FALSE whenever someone is removed from a group.

undefobj picture undefobj on 4 Nov 2019
👍1

I added custom attribute isAdmin from cognito console from aws website. Then I tried to register new user. Then exact error message was
Attributes did not conform to the schema: isAdmin: Attribute does not exist in the schema.
I am just trying to register new user with isAdmin false. Then next step would be to update lambda function for addUserToGroup and removeUserGroup

apoorvmote picture apoorvmote on 4 Nov 2019

Can you post your sign up attributes code? My guess is you're missing the custom: prefix.

Edit: also remember all tokens are untrusted until validated, don't assume the claims in a token are accurate just because.

jkeys-ecg-nmsu picture jkeys-ecg-nmsu on 4 Nov 2019

You were right I didn't add custom: prefix because I didn't know about it. I added it and now I am getting currentAuthenticatedUser with custom:isAdmin attribute.

Now let me tamper with lambda. I choose Amplify because I don't know Node Express. But I will have to take a shot at this.

apoorvmote picture apoorvmote on 4 Nov 2019
👍1

Closing this request as the above comment. Please open another issue if you have any other thoughts or concerns on this.

sammartinez picture sammartinez on 20 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

benevolentprof picture benevolentprof  路  3Comments
simon998yang picture simon998yang  路  3Comments
callmekatootie picture callmekatootie  路  3Comments
cgarvis picture cgarvis  路  3Comments
romainquellec picture romainquellec  路  3Comments