Conditional read access to DynamoDB table with AWS Amplify

Question

I'm building an application with AWS Amplify, where I have three DynamoDB tables: Users, Posts and Subscriptions.

1. users can make posts
2. users subscribe to other users
3. user A can only see posts by user B if user A is subscribed to user B

Points 1. and 2. are easy to implement with standard graphQL mutations. But I'm stuck at how to implement 3. in an elegant way. Currently what I do is to use a lambda resolver.

Given inputs "user A wants to see user B", the lambda resolver does the following:

1. Query Subscriptions table to see if there's a document for "user A subscribed to user B"
2. if such a row exists, query Posts table and return documents. If not, return nothing.

This logic required two round trips, but since dynamo is fast I'm OK with this trade-off. There are other downsides though, so I'm wondering if there's a more Amplify-native way to do this? Some magic DynamoDB and @auth trickery perhaps?

Thank you!

Answer 1

If you are using multiple tables to store the data, the multiple query approach is your only option.

You can use transactions when mutating items across multiple tables, which is useful when you want to perform an operation based on a condition on an item in another table(s). But when it comes to a read operation, you have no such option.

Aside from re-designing your tables to support this access pattern, I don't think two reads is particularly bad.

If you wanted to handle authorization logic outside of DDB, you may want to look into AWS IAM and it's documentation on Fine-Grained Access Control. Among other features, IAM can restrict access to specific items in a table based on certain primary key values.