Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AppSync GraphQL Subscription to group data

Tags:

amazon-web-services

graphql

aws-appsync

I have implemented an AWS Lambda authorization layer for my GraphQL queries and mutations, such that a user may only read/write data to a particular DynamoDB table item iff they are a member of the group that the item belongs to, implemented using a groupId partition key and a sort key of itemId. So that the table can have many itemIds with a common groupId, and also many different groupIds. This all works as expected.

Now I would like to be able to extend this group authorization to my real time GraphQL subscriptions. I observe that unparameterized subscriptions broadcast to all users. I need a solution that constrains the subscription events such that all group members and only group members receive the subscription event for mutations on table data containing the corresponding groupID key. A user, being a member of many groups, will receive subscription events for all groups that they are a member of.

The groups and group members are dynamic, with groups being created and members being added by application business logic.

I observe a multitude of AWS authorization techniques, static and dynamic. I have seen examples of parameterized subscriptions and subscription resolvers that target subscribing only to one item, but nothing that I can see that fits my particular 'multi-group' need.

I am using AWS Amplify API for client GraphQL calls. I observe Apollo has a subscribeToMore() that might be helpful for this scenario, but I presently prefer to stay away from the rework required for me to fit my UI into Apollo 2's Render Props pattern.

Any thoughts?

like image 379
LeanTide Avatar asked Oct 14 '25 20:10

LeanTide

1 Answers

You can do the following to enable this use-case with AppSync.

  1. Add a "groupId" argument to your subscription.
  2. Attach a subscription resolver to your subscription.
  3. In the subscription resolver's request mapping template, query the User table to determine which groups the caller is authorized for.
  4. In the subscription response mapping template, cross-check the subscription "groupId" argument with the list of groups you retrieved from your User's table query. Reject the request if the caller is attempting to subscribe to a group they are not authorized for.
  5. Make sure your mutation returns a groupId field so AppSync's subscriptions can properly route your messages.

You can then have a client subscribe multiple times, once for each group they want notifications for.

Here is the subscription authorization documentation which contains an example which is similar to yours: https://docs.aws.amazon.com/appsync/latest/devguide/security-authorization-use-cases.html#real-time-data

like image 57
Michael Willingham Avatar answered Oct 17 '25 13:10

Michael Willingham
Sign in to Comment

Related questions

Accessing volume/snapshot data without starting instance Amazon EC2
Access RDS from VPC Lambda
AWS sqs send message batch from cli
Cloudtrail not logging my s3 bucket events
Can we use one ALB with AWS ECS Fargate?
How to add taint to AWS EKS node Group?
How can I break apart a GraphQL Schema into multiple files in AWS-CDK (SST -> AppSyncApi)
"Error: Cannot find module 'handler'\nRequire stack:\n- /var/runtime/index.mjs"
Filtering DynamicFrame with AWS Glue or PySpark

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!