amplify-category-api icon indicating copy to clipboard operation
amplify-category-api copied to clipboard

Published 20 hours ago verified publisher icon aws-amplify

Allow user with auth access to resource also access related resources

Open nat-jones opened this issue 1 year ago • 1 comments

Amplify CLI Version

1.1.1

Question

I am using amplify gen2 to define a data backend that satisfies the following requirements:

The bullet points are:

  • There are 4 Models: User, House, Device, QuietHours

Relations:

  • User <-> House : Many to Many
  • House -> Device: One to Many
  • Device -> QuietHours: One to Many

Functionality:

  • Each User will be related to a Cognito userSub
  • Each User should be authorized to CRUD operations on the houses they are related to
  • Each User should be authorized to CRUD operations on any record which has a relation to such a house, or has a relational path that leads back to such a house (ex. if there exists a QuietHours record 'Q', related to Device 'D', and device 'D' is related to house 'H', then user 'U' should be able to execute CRUD operations on 'Q' and 'D' if and only if 'U' is related to 'H'.
  • Users should be able to "share" a house with another User, giving that User CRUD operations on that House and all related/tangentially related resources (as described above).

Current Strategies

  • Per user/ per group data access
    • I do not like this approach, as it requires each record to maintain it's own owners array. Sharing a house would then require all tangentially related resources to update their own owners array. In a situation where a house has many related Devices, each with many QuietHours, this could lead to a massive batch update, with potential for partial errors preventing access from certain resources.
  • Custom Queries and Mutations
    • I can create a new Model called "Groups" which has a many to many relation with Users, and a one to many relation with all other Models. Each group will represent which group of users can access which resources. I can restrict the initial models to only be accessible by custom queries and mutations, which take in the users cognitoSub, retrieve their User record, find the associated Group resource, and limit the results of the query to only those resources the User has access to. The downside here is that I need to define all my own queries and mutations for every new model I add.

It seems to me there should be an easier way to do this using a custom auth rule, but I have not had any success. Any guidance would be greatly appreciated!

nat-jones avatar Jul 25 '24 19:07 nat-jones