search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
88 stars 76 forks source link

support configuring data access for specific operations #2806

Open josefaidt opened 3 weeks ago

josefaidt commented 3 weeks ago

Environment information

System:
  OS: macOS 14.6.1
  CPU: (10) arm64 Apple M1 Pro
  Memory: 225.25 MB / 32.00 GB
  Shell: /opt/homebrew/bin/fish
Binaries:
  Node: 20.16.0 - ~/.local/state/fnm_multishells/28867_1724346485912/bin/node
  Yarn: undefined - undefined
  npm: 10.8.1 - ~/.local/state/fnm_multishells/28867_1724346485912/bin/npm
  pnpm: 9.7.0 - ~/.local/state/fnm_multishells/28867_1724346485912/bin/pnpm
NPM Packages:
  @aws-amplify/auth-construct: Not Found
  @aws-amplify/backend: 1.1.1
  @aws-amplify/backend-auth: Not Found
  @aws-amplify/backend-cli: 1.2.4
  @aws-amplify/backend-data: Not Found
  @aws-amplify/backend-deployer: Not Found
  @aws-amplify/backend-function: Not Found
  @aws-amplify/backend-output-schemas: Not Found
  @aws-amplify/backend-output-storage: Not Found
  @aws-amplify/backend-secret: Not Found
  @aws-amplify/backend-storage: Not Found
  @aws-amplify/cli-core: Not Found
  @aws-amplify/client-config: Not Found
  @aws-amplify/deployed-backend-client: Not Found
  @aws-amplify/form-generator: Not Found
  @aws-amplify/model-generator: Not Found
  @aws-amplify/platform-core: Not Found
  @aws-amplify/plugin-types: Not Found
  @aws-amplify/sandbox: Not Found
  @aws-amplify/schema-generator: Not Found
  aws-amplify: 6.5.2
  aws-cdk: 2.154.0
  aws-cdk-lib: 2.154.0
  typescript: 5.5.4
AWS environment variables:
  AWS_PROFILE = josef
  AWS_REGION = us-east-1
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Description

I have a post confirmation auth trigger that I would like to use to create a UserProfile model when a user signs up.

const schema = a
  .schema({
    UserProfile: a
      .model({
        displayName: a.string(),
      })
      .authorization((allow) => [allow.owner().to(["read"])]),
  })
  .authorization((allow) => [
    allow.resource(postConfirmation).to(["query", "mutate", "listen"]),
  ])

Today I can configure access to "query", "mutate", or "listen", but in this case I would like to configure the function to only be allowed to execute the createUserProfile mutation

const schema = a.schema({
  UserProfile: a
    .model({
      displayName: a.string(),
    })
    .authorization((allow) => [
      allow.owner().to(["read"]),
      allow.resource(postConfirmation).to(["create"]),
    ]),
})
thomasoehri commented 3 weeks ago

My first instinct was also to add the allow.resource authorization rule directly to my model's authorization rules, but then i realized that i could only give my function access to absolutely everything at schema level. I'd like to have more granular control too!

ykethan commented 2 weeks ago

hey,👋 thanks for raising this! I'm going to transfer this over to our API repository for better assistance 🙂