Restrict lambda resolver to owner for GraphQL API using Amplify

0

In my schema.graphql file I have the following model and mutation:

type Profile @model @auth(rules: [
    { allow: private, operations: [read], provider: userPools },
    { allow: owner, provider: userPools }
    ]) @aws_iam @aws_cognito_user_pools
    {
    id: ID! @primaryKey @auth(rules: [ { allow: owner, provider: userPools }, { allow: private, operations: [read], provider: userPools }, { allow: public, operations: [read], provider: iam } ])
    name: String! @auth(rules: [ { allow: owner, provider: userPools }, { allow: private, operations: [read], provider: userPools }, { allow: public, operations: [read], provider: iam } ])
    about: String
    links: [Link] @hasMany
    owner: String @index(name: "byOwner", queryField: "listProfileByOwner", sortKeyFields: ["name"])
}

type Mutation {
    updateProfileLambda(profile: UpdateProfileLambdaInput): Profile 
        @aws_cognito_user_pools
        @function(name: "UpdateProfile-${env}")
}

I created the lambda function to perform custom validation before updating. The problem is that any authenticated user can update other user profiles. I thought adding @aws_cognito_user_pools would resolve this, but it doesn't.

Question: What do I need to add to lock down the updateProfileLambda function so that it can only be successfully called by the owner of the Profile model?

For some more context, I followed this tutorial to create the custom mutation lambda function: https://www.theclouddeveloper.io/use-lambda-resolvers-in-your-graph-ql-api-with-aws-amplify

profile picture
asked 2 years ago361 views
1 Answer
0

Seems like this workflow is not possible yet, see thread here: https://github.com/aws-amplify/amplify-category-api/issues/528

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions