Hi,
I recently programmed a react native app with firebase as a backend. I really enjoyed the concept of microservices but found some limitations at firebase, mainly geo-queries and scalability within their real-time database.
So I found Amazon Web Services as a perfect solution to all my problems with firebase.
The Service I am talking about is called AppSync. It has a nice library for default API calls - Amplify.
So after I started out to understand the main features and conzepts of AppSync I found a really challaging problem. I want to use GraphQL as a single source of truth but restrict access to some queries.
As an example let’s talk about I would like to rebuild hashnode. Where I would like that the query „listPosts“ is completely public and you can read posts without authenticating. But for all other queries like „answerPost“ or „commentPost“ it would require authentication.
How can I build this functionality when I am using AWS Cognito for authentication?
Scopes and tier-based authentication.
The naïve way to go about this would be to issue IAM policies in a Cognito User Pool and then fetch credentials using either STS or Lambda with the policies applied. You can use just one policy and then modify it on-the-fly to fit the role.
For example, you can have the following grants:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "82f599a4-a505-4fa8-adda-b1aae6f637db", "Action": "ListPosts", "Effect": "Allow", "Resource": "posts/*" } ] }Call this
ListPostsPolicy. Then, createUpdatePostsand whatever policies you need.When done, create a composite (or a "role") based on these policies. Like
user,administrator, etc. and callassumeRole()with STS.The better way is to use Federated Identities; you will get the permissions link (Federated Users) and the actual auth layer (user pool).