Reputation: 251
Authorization in Amplify GraphQL
I'm implementing a project in Amplify and have 3 GraphQL schema types as shown below. It is a multi-tenanted app with different user types.
type Seller
@model
@auth (rules: [
{ allow: owner, ownerField: "id", operations: [read, update] },
])
{
id: ID!
name: String
...
}
type Customer
@model
@auth (rules: [
{ allow: owner, ownerField: "id", operations: [read, update] },
])
{
id: ID!
name: String
...
}
type Order
@model
@auth (rules: [
{ allow: owner, ownerField: "seller_id", operations: [create, read, update, delete] },
{ allow: owner, ownerField: "customer_id", operations: [read] },
])
{
id: ID!
seller_id: ID
seller: Seller @connection(fields: ["seller_id"])
customer_id: ID
customer: Customer @connection(fields: ["customer_id"])
quantity: Int
product: String
...
}
When a user of type Customer is logged in, and calls listOrders, it returns null for the attribute "sellers" presumably because the @auth rules of Seller only allow owners read access. I can fix this by putting a group rules in Seller as follows:
type Seller
...
@auth (rules: [
...
{ allow: groups, groups: ["Customer"], operations: [read] },
...
However, Customers are now able to query all Sellers (via listSellers or getSellers), which I do not want for them to be able to do.
Is there a way to define authorization so that if customer is authorized on Order, and Order includes the object Seller, then authorization is allowed for that Seller ?
Upvotes: 0
Views: 512
Answers (1)
Reputation: 842
I see what you are going for here but I think you are slightly off with your strategy. What I believe you really are trying to do here is have Group Authorization.
Imagine instead that you had Customer and Seller groups. When a Customer registers, they are placed into the Customer group, and when a Seller registers, they are placed into the Seller group. This will allow you to have finer control over groups and their allowed actions. You will probably want to leverage Dynamic Group Authorization for Sellers and Customers, so that a specific Seller can only work with their Customers.
Also, I think you can simplify your custom owners down to just having the default owner capability that is default with Amplify.
Upvotes: 0
Related Questions
- 'Unauthorized' error when using AWS amplify with grahql to create a new user
- "Not Authorized to access " error on create mutation + GraphQL
- AWS Amplify Graphql Unauthorized Error - Not Authorized to access [...] on type [...]
- AWS Amplify Graph API that can be accessed without authorization (login)
- Amplify GraphQL No Credentials Error in NextJs Application
- Authorization error when updating a GraphQL object using aws-amplify
- Field-level authorization with Amplify GrraphQL
- Amplify authentication user data + graphql API
- How to give separate permissions to GraphQL queries in AWS Amplify
- Amplify GraphQL Error not authorized to access create