Open cscetbon opened 3 weeks ago
So I found #652 and was able to use this as a workaround, however I still think @auth
should be supported as well as globalAuthRule
input AMPLIFY { globalAuthRule: AuthRule = { allow: public } } # FOR TESTING ONLY!
type MetricRecord
@aws_api_key
@aws_cognito_user_pools
# those 2 directives shouldn't be required
# @auth could be used, but the global rule should apply here
{
value: Float!
timestamp: Int!
}
type Query {
getMetricRecordsByTimeRange(startTime: Int!, endTime: Int!): [MetricRecord!]!
@auth(rules: [{allow: public}]) # that shouldn't be required either but fails without !
@function(name: "getMetricRecordsByTimeRange-${env}")
}
I see no reason why a type that is not a model is treated differently in term of auth support.
Hi @cscetbon, for custom queries, mutations, and subscriptions, the custom type (or non-model type) in the schema would be protected behind the auth rule on the custom operation. The custom type data isn't backed by a DynamoDB table.
You can also implement a custom auth lambda to restrict access to data and/or fields if you need to have fine grained control over them.
I will label this as a feature request for the team to consider.
The custom type data isn't backed by a DynamoDB table.
Yeah I understand that and that's what I want
You can also implement a custom auth lambda to restrict access to data and/or fields if you need to have fine grained control over them.
I'm curious, any examples ? In my case I just want to use Cognito (Or an Api Key in test mode) so if it can be automatically supported it would be way better/simpler/consistent. Thanks for the feature-request
label !
@chrisbonifacio 👆
@cscetbon Here are the Gen 1 docs for setting up a custom auth rule and lambda using either the Amplify CLI or AWS CDK:
I think you should be able to grab the user's identity from the event.context.identity
in the Lambda function if there's an authorization header with a Cognito token.
If not, then you'll have to verify the token manually and parse the payload to implement your custom logic to determine if the user isAuthorized
in the response
Before opening, please confirm:
JavaScript Framework
React
Amplify APIs
GraphQL API
Amplify Version
v6
Amplify Categories
api
Backend
Amplify CLI
Environment information
Describe the bug
I'm working on a graphql api to interact with an exiting database (aws timestream). The issue I'm facing is that even though I've enabled Global Sandbox Mode, I need to mark as public each field I want to access ... I shouldn't even have to set the type itself as public and if I try I get
Types annotated with @auth must also be annotated with @model
. Of course I don't want to use@model
as I don't want it to use DynamoDB as its storage.Expected behavior
Using
input AMPLIFY { globalAuthRule: AuthRule = { allow: public } }
should be sufficient to have full public access (using an api key as Global Sandbox Mode is enabledReproduction steps
amplify add api
)amplify add function
) and use following codeCode Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
When those rules are set on the function and the timestamp field I can see 2 new functions being created:
Both with a request mapping template looking like this