How to secure subscriptions ?

[vparpoil]

Which Category is your question related to? Amplify / AppSync

Provide additional details e.g. code snippets Let's create a subscription that receive updates on some user account data :

type Subscription{   
    onUpdateUserAccount(id: ID!):UserAccount @aws_subscribe(mutations:["updateUserAccount"])
}

From the client, you will pass the UserAccountID that you first got from a query, and everything will work. Securing the query is doable with custom VTL logic in the resolver.

How to protect someone from passing another ID than it's own ID when subscribing, and hence getting the UserAccount from someone else ?

Subscriptions don't seem to be linked to resolvers in AppSync interface, do I need to create a sort of custom resolver here ?

I would love being able to define the subscription with : onUpdateMyUserAccount:UserAccount

[vparpoil]

I just ran into this rfc for the @auth directive : https://github.com/aws-amplify/amplify-cli/issues/1043 It’s stated that you cannot secure subscriptions yet

[elorzafe]

@vparpoil I will move to amplify-cli repo, they can handle this issue better than us.

Thanks for your feedback

[kaustavghosh06]

@vparpoil We recently added support for adding authorization for your subscriptions. Please take a look at the documentation out here - https://aws-amplify.github.io/docs/cli-toolchain/graphql#authorizing-subscriptions

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.