如何使用 AppSync GraphQL 转换为双向一对多 @connection 执行字段级 @auth? [英] How to do field level @auth for bi-directional one-to-many @connection with AppSync GraphQL Transform?
问题描述
我试图弄清楚如何在字段级别保护一对多 @connection
和 @auth
免受不应允许的突变.(即:拒绝特定用户运行最终将作为另一个用户插入帖子的突变.)
I'm trying to figure out how can you protect at field level a one-to-many @connection
with @auth
against mutations that shouldn't be allowed. (ie: deny a specific user to run a mutation that will end-up inserting posts as another user.)
从在字段级别保护突变的示例开始:https://aws-amplify.github.io/docs/cli/graphql#field-level-authorization
Starting with the example for protecting a mutation at the field level: https://aws-amplify.github.io/docs/cli/graphql#field-level-authorization
我尝试做这样的事情:
type User @model @auth(rules: [{ allow: owner, ownerField: "id" }]) {
id: ID!
posts: [Post]
@connection(name: "UserPosts")
@auth(rules: [{ allow: owner, ownerField: "id" }])
}
type Post @model {
title: String!
user: User!
@connection(name: "UserPosts")
@auth(rules: [{ allow: owner, ownerField: "userPostId" }])
}
然后说已经有一个 id 为 regular-user-id
的用户显然,我的身份验证规则不会阻止其他用户,例如使用 id 表示:malicious-user-id
来运行此更改:
Then say there already is a user with an id of regular-user-id
Apparently my auth rules don't stop another user, say with id of: malicious-user-id
to run this mutation:
mutation {
createPost(input:{
title:"Oh this is BAD!"
postUserId: "regular-user-id"
}) {
title
}
}
运行一个简单的查询以确保这真的发生了:
Running a simple query to make sure this really happened:
query {
getUser(id:"regular-user-id"){
posts{
items
{
title
}
}
}
}
=>
{
"data": {
"getUser": {
"posts": {
"items": [
{
"title": "Regular User title"
},
{
"title": "Oh this is BAD!"
},
]
}
}
}
}
我尝试了各种方法来解决这个问题,但找不到任何有关双向字段级身份验证的文档.我对 AppSync 还很陌生,所以我想我一定没有得到什么,但是这是如此常见的用例场景,我真的很惊讶没有更多关于它的文档.
I tried various ways to figure this one out and couldn't find any documentation about bi-directional field level authentication. I'm fairly new to AppSync so I think I must be not getting something, but then this is such common use-case scenario that I'm really surprised there isn't more documentation about it.
非常感谢您的帮助.
推荐答案
为了保护 Mutation.createPost
突变,使得只有通过 postUserId
可以访问它,您可以在 Post 对象定义中添加 @auth 指令:
To protect the Mutation.createPost
mutation such that only the owner of the Post as designated via the postUserId
may access it you add an @auth directive to the Post object definition:
type Post @model @auth(rules: [{ allow: owner, ownerField: "postUserId" }]) {
title: String!
# This will use a field 'postUserId' by default.
user: User!
@connection(name: "UserPosts")
}
有了这个设置,一个突变:
With this setup, a mutation:
mutation {
createPost(input:{
title:"Oh this is BAD!"
postUserId: "regular-user-id"
}) {
title
}
}
如果登录的用户不是regular-user-id",将会失败.
will fail if the logged in user is not "regular-user-id".
这个答案也可能有助于填写内容https://github.com/aws-amplify/amplify-cli/issues/1507#issuecomment-513042021.
This answer may help fill things in as well https://github.com/aws-amplify/amplify-cli/issues/1507#issuecomment-513042021.
这篇关于如何使用 AppSync GraphQL 转换为双向一对多 @connection 执行字段级 @auth?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!