As I work on a project using aws amplify, I am going to document some quirks that I come across (or some plain old stupidity on my part). The documentation for amplify has room to improve but it is definitely frustrating to work with it. I document my findings here for my future self, if I have to work using amplify again.
I dislike that I have to go to Amplify's discord and search through the history for any similar issues... What happened to having StackOverflow as the go-to for such activities?
Anyway, I intend to update this blog forever so you could keep checking back.
Appsync / Graphql
Combination of private and groups authorization types
Example:
type Query {
myFooQuery: Bar @auth(
rules: [
{ allow: private },
{ allow: groups, groups: ["Admin"] }
]
)
}
Expectation When I define both private and groups authorization, say on a query, users with a valid jwt token as well as users that belong to the cognito user group defined in the authorization rule are allowed to execute that query. I expected this to be an OR condition:
- EITHER users that have a valid jwt token
- OR users that belong to a specific cognito user group
just like the other authorization type combinations (such as a user can either use an api key or the owner can update their own record).
Actual The group authorization rule takes precedence over the private authorization rule. Thus, even if a user has a valid jwt token, they cannot execute the query. Not unless they belong to the group specified.
Comment Granted that having both private and groups authorization types is redundant - if a user belongs to a group, it would imply they have a jwt token and thus having just private authorization type would suffice. But I expected the combination to always be OR'ed but turns out that isn't the case when it comes to the private and groups authorization types.
Hours Spent Debugging 4 hours. Had to check the generated request mapping template, learn VTL, learn how to log in VTL ($util.error()!!!) and then came to this conclusion.
Top comments (0)