如何使用AppSync GraphQL Transform进行双向一对多@connection的字段级别@auth? [英] How to do field level @auth for bi-directional one-to-many @connection with AppSync GraphQL Transform?

问题描述

我正在尝试找出如何在现场级别使用 @auth 保护一对多的 @connection 以避免不应允许的突变.(即:拒绝特定用户进行突变，最终导致以其他用户身份插入帖子.)

I'm trying to figure out how can you protect at field level a one-to-many @connection with @auth against mutations that shouldn't be allowed. (ie: deny a specific user to run a mutation that will end-up inserting posts as another user.)

从在字段级别保护突变的示例开始:

Starting with the example for protecting a mutation at the field level: https://aws-amplify.github.io/docs/cli/graphql#field-level-authorization

我试图做这样的事情:

type User @model @auth(rules: [{ allow: owner, ownerField: "id" }]) {
  id: ID!
  posts: [Post]
    @connection(name: "UserPosts")
    @auth(rules: [{ allow: owner, ownerField: "id" }])
}

type Post @model {
  title: String!
  user: User!
    @connection(name: "UserPosts")
    @auth(rules: [{ allow: owner, ownerField: "userPostId" }])
}

然后说，已经有一个ID为 regular-user-id 的用户显然，我的身份验证规则不会阻止其他用户运行，例如ID为: malicious-user-id 来运行此突变:

Then say there already is a user with an id of regular-user-id Apparently my auth rules don't stop another user, say with id of: malicious-user-id to run this mutation:

mutation {
  createPost(input:{
    title:"Oh this is BAD!"
    postUserId: "regular-user-id"
  }) {
    title
  }
}

运行一个简单的查询以确保确实发生了这种情况:

Running a simple query to make sure this really happened:

query {
  getUser(id:"regular-user-id"){
    posts{
      items
      {
        title
      }
    }
  }
}
=> 
{
  "data": {
    "getUser": {
      "posts": {
        "items": [
          {
            "title": "Regular User title"
          },
          {
            "title": "Oh this is BAD!"
          },
        ]
      }
    }
  }
}

我尝试了多种方法来解决这一问题，但是找不到有关双向字段级身份验证的任何文档.我对AppSync相当陌生，所以我认为我一定没什么用，但是这是一种常见的用例场景，令我感到惊讶的是，没有更多关于它的文档.

I tried various ways to figure this one out and couldn't find any documentation about bi-directional field level authentication. I'm fairly new to AppSync so I think I must be not getting something, but then this is such common use-case scenario that I'm really surprised there isn't more documentation about it.

我们将不胜感激.

推荐答案

为了保护 Mutation.createPost 突变，以便仅通过 postUserId 可以访问它，您可以在Post对象定义中添加一个@auth指令:

To protect the Mutation.createPost mutation such that only the owner of the Post as designated via the postUserId may access it you add an @auth directive to the Post object definition:

type Post @model @auth(rules: [{ allow: owner, ownerField: "postUserId" }]) {
  title: String!
  # This will use a field 'postUserId' by default.
  user: User!
    @connection(name: "UserPosts")
}

使用此设置，会有一个突变:

With this setup, a mutation:

mutation {
  createPost(input:{
    title:"Oh this is BAD!"
    postUserId: "regular-user-id"
  }) {
    title
  }
}

如果登录的用户不是"regular-user-id"，则

将失败.

will fail if the logged in user is not "regular-user-id".

此答案也可以帮助填写 https://github.com/aws-amplify/amplify-cli/issues/1507#issuecomment-513042021 .

This answer may help fill things in as well https://github.com/aws-amplify/amplify-cli/issues/1507#issuecomment-513042021.

这篇关于如何使用AppSync GraphQL Transform进行双向一对多@connection的字段级别@auth?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！