search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.44k stars 2.13k forks source link

Allow userPool auth flow in S3 storage #13831

Open anthonyhoegberg opened 1 month ago

anthonyhoegberg commented 1 month ago

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication, Storage

Is this related to another service?

No response

Describe the feature you'd like to request

So in the amplify docs, when setting up authentication we can do smth like

export const auth = defineAuth({
  loginWith: {
    email: true,
  },
  groups: ["admin"],
});

and to describe our table and allow groups and only own users to access data we can do

export const data = defineData({
    schema, // Ignore schema this for now, 
    //just some tables has own, and group ownership etc
    authorizationModes: {
        defaultAuthorizationMode: 'userPool',
    },
});

So then since we are using userPool flow currently when setting up S3 we can do smth like


export const storage = defineStorage({
  name: 'camiot1data',
  access: (allow) => ({
    'pics/{entity_id}/*': [
        allow.entity("identity").to(['read', 'write', 'delete']),
        allow.groups(["admin"]).to(['read', 'write', 'delete'])
    ],
  })
});

however this current aproach does not align with the applications login flow etc and since this approach forces identity pool we cant have owned resources together with groups etc. Also currently using authenticator or other amazon resources when getting the logged in user we are getting the userpools user id and not identity id so we cant use identity id here.

Describe the solution you'd like

The ideal solution would be to allow the S3 configuration to also use userpool id as is, and therefor be able to do smth like this

export const storage = defineStorage({
  name: 'camiot1data',
  access: (allow) => ({
    'pics/{user_id}/*': [ //{user_id}  just to specify its our own users id
        allow.own().to(['read', 'write', 'delete']),
        allow.groups(["admin"]).to(['read', 'write', 'delete'])
    ],
  })
});

and when accessing data using api etc, we can use the logged in users permisions etc to access resources and non logged in users or other users cant access another users resources. However users with group permissions can access the data as described

Describe alternatives you've considered

None, currently removing security is the fix for me but i dont like that.

Additional context

No response

Is this something that you'd be interested in working on?

cwomack commented 1 month ago

Hello, @anthonyhoegberg and thanks for opening this feature request. I'll review this with our team internally, and follow up with any further questions we have or needs additional context. Thanks!