AWS Amplify GraphQL authorization based on field values

Question

I have an AWS Amplify project that has three different user groups in Cognito. An Admin, Instructor, and Student group. I also have a GraphQL Schema that looks like this.

type DriveTime @model {
  id: ID!
  start: AWSDateTime!
  end: AWSDateTime!
  openRegistration: AWSDateTime!
  closeRegistration: AWSDateTime!
  vehicle: Vehicle @connection(name: "VehicleDriveConnection")
  instructor: Instructor @connection(name: "InstructorDriveConnection")
  student: Student @connection(name: "StudentDriveConnection")
  evaluation: DriveEvaluation @connection(name: "DriveEvaluationConnection")
}

Basically Admins or Instructors put in times that the students can then register for.

I want to create authorization rules that allow for the following:

• Admin group can read, write, update, and delete anything anything.

• Instructor group can read, write, update, and delete anything anything.

• Student group can only read if (the current date is within the openRegistration and closeRegistration fields) or (the student field matches the logged in student).

• If the current date is within the openRegistration and closeRegistration fields and the student field is null, then the student can register themself for the DriveTime.

• If the student field matches the logged in student, and the current date is before the start field, the student can write to the student field to unregister or cancel.

Is Amplify GraphQL @Auth capable of this?

Answer 1

Have a read through the documentation:

[1] https://docs.amplify.aws/cli/graphql-transformer/auth

[2] https://docs.amplify.aws/cli/graphql-transformer/directives#aws-appsync-provided-directives

[3] https://aws.amazon.com/blogs/mobile/graphql-security-appsync-amplify/

Some of your requirements may have no out the box support which means you may have to create custom logic- check out Lambda Resolvers: https://docs.amplify.aws/cli/graphql-transformer/function#usage