7

My project uses cognito user pools as the default authentication method and also uses iam for my custom graphql lambda resolver.

I've been using the AppSync console to run tests on my queries/mutations.

I have a many-to-many relationship between User and Group types which I've implemented in this schema.graphql file.


type User
  @model
  @auth(
    rules: [
      { allow: owner, ownerField: "id", operations: [create, update, delete] }
      { allow: private, provider: iam, operations: [read, update, delete] }
      { allow: private, provider: userPools, operations: [read] }
    ]
  ) {
  id: ID!
  displayName: String!
  groups: [GroupMemberLink] @connection(keyName: "byMember", fields: ["id"])
}

type Group
  @model
  @auth(
    rules: [
      { allow: owner, ownerField: "members", operations: [create, update, delete] }
      { allow: private, provider: iam, operations: [read, update, delete] }
      { allow: private, provider: userPools, operations: [read] }
    ]
  ) {
  id: ID!
  name: String!
  members: [String]!
  associated: [GroupMemberLink] @connection(keyName: "byGroup", fields: ["id"])
}

type GroupMemberLink
  @model(queries: null, subscriptions: null)
  @key(name: "byGroup", fields: ["groupID", "memberID"])
  @key(name: "byMember", fields: ["memberID", "groupID"])
  @auth(
    rules: [
      { allow: private, provider: userPools, operations: [read] }
      # what am I doing wrong below?
      { allow: private, provider: iam, operations: [create, read, update, delete] }
    ]
  ) {
  id: ID!
  groupID: ID!
  memberID: ID!
  group: Group! @connection(fields: ["groupID"])
  member: User! @connection(fields: ["memberID"])
}

My Intentions:

  1. To only allow my lambda function (using iam) to both read and do mutations (create/update/delete)
  2. To allow users authenticated with cognito user pools to only read.

My Problem:

My lambda function is not able to read this relational type/field when I query either from the User or Group type. It also seems like users are able to create this type of object which is something I absolutely do not want.

What am I doing wrong? I understand that multi-auth was recently added so this might be tricky.

Reading the documentation hasn't helped me much so I've been trying many different combinations of rules and hoping one would work.

Update: I get this error whenever I try to access the connected field on either the User or Group type: Not Authorized to access items on type ModelGroupMemberLinkConnection" from the appsync console using iam as the auth type.

To clarify: users authenticated with cognito user pools have both read/write access (Shouldn't have write access), but my lambda function using iam doesn't have read or write access.

Things I've tried that still result in not being to access the related field while being authenticated with iam:

  1. Remove the auth directive altogether.
  2. Changed the auth rule in GroupMemberLink to @auth(rules: [{ allow: private, provider: iam, operations: [read, update, delete] }])

Update:

These are the queries I've been testing in the AppSync console:

query GetUser {
  getUser(id: "funksouldev") {
    id
    displayName
    groups {
      items {
        group {
          id
          name
        }
      }
    }
  }
}

query GetGroup($groupID: ID!) {
  getGroup(id: $groupID) {
    id
    associated {
      items {
        id
        member {
          id
          displayName
        }
      }
    }
  }
}
Funk Soul Ninja
  • 2,113
  • 3
  • 17
  • 27
  • Did you find the right way? – Alex Jan 12 '20 at 00:16
  • @Alex I have not – Funk Soul Ninja Jan 12 '20 at 00:17
  • 1
    I'm trying to reproduce your problem. – Alex Jan 12 '20 at 06:15
  • @Alex Great! Please let me know if you need any more info to reproduce the problem. The problem arises in the AppSync console when I'm running queries using iam for authentication. – Funk Soul Ninja Jan 12 '20 at 06:26
  • I am confused, what's the lambda function doing? as a resolver or just call graphql api?do you have any github repo? – Alex Jan 12 '20 at 11:13
  • The lambda function uses has an appsync client that queries the appsync api and makes special checks before making mutations. It’s like a middle-man api for certain mutations. The problem happens in the AppSync console when I run either getUser (or list) while querying the connected groups field or when running getGroup with associated in the requested fields. – Funk Soul Ninja Jan 12 '20 at 15:31
  • @Alex I've updated the question with the exact queries I've been using. The connected fields can be read in the console when logged in with cognito user pools, but cannot be read when using iam. – Funk Soul Ninja Jan 12 '20 at 15:54

1 Answers1

9

Okay, Finally I think this would solve the problem.

type ModelGroupMemberLinkConnection @aws_iam
@aws_cognito_user_pools
   {
    items: [GroupMemberLink]
    nextToken: String
   }
Alex
  • 3,941
  • 1
  • 17
  • 24
  • worked for me,@Funk check it out and let me know the result, please. – Alex Jan 12 '20 at 23:50
  • I just tested it and it works exactly the way I want it to. Thank you so much! I simply added the directives to the type declaration for the connection (copied and pasted your answer into my schema) and users can read, but only my lambda backend can make mutations. Perfect. I learned something new today. It seems that I need to explicitly need to add those directives onto connection types. – Funk Soul Ninja Jan 13 '20 at 02:43