Open gpavlov2016 opened 2 weeks ago
Hi @gpavlov2016 can you try changing your mutations handler from custom to function?
ex:
const schema = a.schema({
Impression: a
.model({
videoId: a.string().required(),
impressions: a.integer().default(0),
})
.identifier(["videoId"])
.authorization((allow) => [allow.publicApiKey(), allow.authenticated()]),
//Executes atomic increment operation on the impressions field of the Impression model
increaseImpression: a
.mutation()
.arguments({
videoId: a.string(),
count: a.integer(),
})
.returns(a.ref("Impression"))
.authorization((allow) => [allow.authenticated()])
.handler(a.handler.function(incrementImpression)),
});
Mutation performed from the AppSync console with IAM:
Although, I am a little confused about the shared code. Your mutation is using the Lambda as the handler but the handler's logic is also invoking the mutation.
So, the mutation is invoking itself? Is that intentional?
Apologies for the confusion, there are two different functions, I probably should have picked better names for them. Let me try to explain the situation:
So it's not really the mutation handler that I need to authorize but an external function to invoke that handler through GraphQL.
One of the ideas that I am exploring based on your suggestion is to use a function handler instead of custom resolver for the custom mutation implementation but unfortunately the documentation omits the example for this use case and instead shows how to implement a query handler that doesn't include accessing the DB. Link to documentation
Oh okay, I see. In that case, the schema level allow.resources
should suffice 🤔
I'll try to reproduce again with an external lambda that is separate from the handler
Before opening, please confirm:
JavaScript Framework
Next.js
Amplify APIs
GraphQL API
Amplify Version
v6
Amplify Categories
No response
Backend
Amplify Gen 2 (Preview)
Environment information
Describe the bug
Consider the use case in which a lambda function needs to use a custom mutation. Before v6.2 we could use
allow.authenticated('iam')
, however since the upgrade to v6.2 it doesn't work anymore. Neither does the.authorization((allow) => [ allow.resource(...) ])
applied to the whole schema, this only works for non-custom queries and mutations.Expected behavior
An authorization mechanism to authorize a lambda function to execute a custom mutation should exist
Reproduction steps
Define the schema:
Define a function:
This results in the following error:
Same problem can be seen by running the mutation from the AppSync console: Unless the schema is manually edited and the
@aws_iam
is added to theincreaseImpression
declaration - then it works!Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response