公开查询和变异(不进行身份验证) [英] Public queries and mutations (no authentication)

问题描述

文档说我们可以通过3种方式授权一个与API交互的应用程序，但看起来并没有一种 public 端点的方法.

The documentation says there are 3 ways we can authorise an application to interact with the API, but it doesn't look like there is a way of having a public endpoint.

例如，如果我想任何人查询待办事项列表，但是只有已通过身份验证的用户可以将待办事项添加到该列表中，我该如何实现?

For example, if I want anyone to query a list of todos, but only authenticated users can add a todo to that list, how can I achieve this?

或者如果我想允许任何人进行模式内省 ，但将所有其他查询限制为已认证用户，可以吗?

Or if I want to allow anyone to do a schema introspection, but restrict all other queries to authenticated users, is it possible?

我正在使用Cognito进行身份验证.我注意到有一个AppId client regex字段显示(Optional) Type a regular expression to allow or block requests to this API.，但不幸的是我找不到任何示例.也许这就是我想要的?

I'm using cognito for authentication. I noticed there is a AppId client regex field that says (Optional) Type a regular expression to allow or block requests to this API. but I can't find any example unfortunately. Maybe this is what I'm looking for?

谢谢

朱利安

推荐答案

基于身份验证机制，您可以通过几种方法进行此操作.

There are couple of ways in which you can do this based on Authentication mechanism.

假设您正在使用Cognito Identity，并使用AWS IAM流进行身份验证.那么您将有2个策略，一个针对已验证用户，另一个针对未验证用户.

Say you are using Cognito Identity and using AWS IAM flow for authentication. Then you would have 2 policies one for Authenticated User and One for Unauthenticated User.

给出GraphQL模式

Given a GraphQL Schema

schema{
   query:Query
   mutation:Mutation
}

type Query{
   listTodo(count:Int, paginationToken:String):[TodoConnection];

}

type Mutation{
   addTodo(input:TodoInput):Todo
}

您的未经身份验证的策略类似于

Your Unauthenticated policy would look something like

{
  "Version": "2012-10-17",
  "Statement": [
  {
     "Effect": "Allow",
     "Action": [
        "appsync:GraphQL"
     ],
     "Resource": [
        "arn:aws:appsync:us-west-2:<account-id>:apis/<api-id>/types/Query/fields/listTodo", 
        //-> below is for schema introspection
        "arn:aws:appsync:us-west-2:<account-id>:apis/<api-id>/types/Query/fields/__schema" 
     ]
    ]
   }
}

您通过身份验证的用户策略如下

Your authenticated user policy would look like

{
  "Version": "2012-10-17",
  "Statement": [
  {
     "Effect": "Allow",
     "Action": [
        "appsync:GraphQL"
     ],
     "Resource": [
        "arn:aws:appsync:us-west-2:<account-id>:apis/<api-id>/types/Mutation/fields/addTodo",
        "arn:aws:appsync:us-west-2:<account-id>:apis/<api-id>/types/Query/fields/listTodo", 
        //-> below is for schema introspection
        "arn:aws:appsync:us-west-2:<account-id>:apis/<api-id>/types/Query/fields/__schema"
     ]
    ]
   }
}

如果您正在使用JWT令牌，则必须将每个Cognito用户池用户与一个组相关联(例如管理员"，用户"等).然后，您将不得不将每个查询/突变与可以使用AWS AppSync auth指令执行操作的Cognito组相关联.为此，您只需要更新如下所示的架构即可:

If you are using JWT Tokens then you will have to associate each Cognito User Pool User with a Group (like "Admin", "Users" etc). You then will have to associate each of the query/mutation with the Cognito Groups that can perform the operation using AWS AppSync auth directives. To do you you will only need to update the schema like below:

schema{
   query:Query
   mutation:Mutation
}

type Query{
   listTodo(count:Int, paginationToken:String):[TodoConnection];
     @aws_auth(cognito_groups:["Users", "Admin"])
}

type Mutation{
   addTodo(input:TodoInput):Todo
     @aws_auth(cognito_groups:["Admin"])
}

基于API密钥的身份验证，无法控制该操作.

API Key based authentication, its not possible to have control over the operation.

这篇关于公开查询和变异(不进行身份验证)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！