In my schema.graphql file I have the following model and mutation:
type Profile @model @auth(rules: [
{ allow: private, operations: [read], provider: userPools },
{ allow: owner, provider: userPools }
]) @aws_iam @aws_cognito_user_pools
{
id: ID! @primaryKey @auth(rules: [ { allow: owner, provider: userPools }, { allow: private, operations: [read], provider: userPools }, { allow: public, operations: [read], provider: iam } ])
name: String! @auth(rules: [ { allow: owner, provider: userPools }, { allow: private, operations: [read], provider: userPools }, { allow: public, operations: [read], provider: iam } ])
about: String
links: [Link] @hasMany
owner: String @index(name: "byOwner", queryField: "listProfileByOwner", sortKeyFields: ["name"])
}
type Mutation {
updateProfileLambda(profile: UpdateProfileLambdaInput): Profile
@aws_cognito_user_pools
@function(name: "UpdateProfile-${env}")
}
I created the lambda function to perform custom validation before updating. The problem is that any authenticated user can update other user profiles. I thought adding @aws_cognito_user_pools
would resolve this, but it doesn't.
Question: What do I need to add to lock down the updateProfileLambda
function so that it can only be successfully called by the owner of the Profile model?
For some more context, I followed this tutorial to create the custom mutation lambda function: https://www.theclouddeveloper.io/use-lambda-resolvers-in-your-graph-ql-api-with-aws-amplify