This is V2 of this post, updated with new schemas and the most up to date directives from Amplify.
Cover photo by Tarn Nguyen on Unsplash
To vie...
For further actions, you may consider blocking this person and/or reporting abuse
Wow 🤩great post!
TIL about @key and @function.
One thing that I have always been a little confused about is @auth. What @auth setting makes data publicly readable (like on reddit/instagram), but otherwise protected? Do I always need to register and login to access data?
I see that reddit post does not have @auth at all, does that mean it's completely public, anybody can read and write?
And the reddit comment has
@auth(rules: [{allow: owner, operations: [create, update, delete]}])
, why is it different from a post?Thank you for taking time to come up with all of these examples :D
Hey Herman, thanks for pointing this out! The
Post
type should indeed also have auth rules. Theoperations: [create, update, delete]
setting will allow anyone to query & view the posts, but only the creator to be able to update and delete.I've updated the post to reflect this change.
I've been setting up a project with AWS Amplify and really enjoying the experience - especially the cognito for sign up/in. 🧡
However, I ran into a roadblock with
amplify add api
because it assumes that you want to start with a new DynamoDB table. In the case of having an existing DynamoDB table that I'd like to use, I haven't been able to find anything that works to make this connection happen. Are there any docs for this scenario?Hi Nader! Thanks for the post!
I think there is an error in the E-commerce App's schema. This definition:
on
Product
type will not allow Users to read "2. View products", even "Admin" group will not be able to do that. I thinkauth
transformer should read the following:Subscriptions is not turned off for this model. Any user can subscribe to onCreateCustomer and collect name, email, and address of all customers. I'm afraid we will start seeing S3 bucket type data leaks from people leaving subscriptions on.
This model also has subscriptions enabled. I dont think you intend for everyone to subscribe to the Report object.
This typically would be behind a separate dashboard only accessible by admins, and real-time updates are useful for this type of dashboard. The subscriptions themselves would typically be behind some custom authorization rules. I've updated the post to mention this in the introduction for those unaware of how this may work.
You can set authorization rules on subscriptions in AppSync, check out docs.aws.amazon.com/appsync/latest... to learn more about them.
Thanks for your feedback.
Yes, you may not want subscriptions enabled here unless you have an admin dashboard of some sort.
If you look at the expanded GraphQL schema that is created by Amplify, you will see all of the operations and subscriptions that are enabled and can modify the base schema as you see fit. For the purposes of this tutorial, I'll update this to have subscriptions disabled for those who may not be aware.
Looking at the expanded schema won't tell you that subscriptions don't respect @auth rules. You would need to carefully read the documentation or understand the generated vtl. Going by published amplify projects, "those who may not be aware" seems to be a large group of people. Making these sample schemas secure would help inform people why subscriptions shouldn't be left on without understanding the consequences.
Thanks for your great post Nader!
I have one question though.
I have the following use-case: I have Users collection and I want to be able to get a user by id or by email.
Using @key is it possible to define two or more different custom indexes or I have to setup a custom resolver?
Great post Nader,
I was wondering how does the sort by time work in case of the events app since we are declaring the time field as a
string
and appsync or dynamodb is not told how to sort based on the field.Are DynamoDB reserved words allowed in GraphQL types? Sometimes my Amplify build fails with a GraphQL error pointing to a type with reserved name. However this same build would have worked before. DynamoDB reserved words appear in your examples (User) so I'm still not sure what causes the issue.
docs.aws.amazon.com/amazondynamodb...
Another question around Reddit Clone. Where do I add the custom resolver and what is the naming convention?
I noticed in the Instagram clone you used both "operations" and "queries" arguments. Is there any reason?
Hey Usman, yes when I originally published this I used
queries: null
to specify some authorization rules. After publishing the post, I decided to refactor to use theoperations
array because thequeries
rule will be deprecated for authorization rules.Mhhhh
i guess in all the schemas, there is no way to check if the user has liked the post already. So we cant show this in the GUI.
Thanks for updating, the hardest part of learniong Amplify or AppSync development right now is outdated examples.
You should try it on code.store a GraphQL back-end as a service we've just released few days ago :)
this is v1 though right? they have new directives now theses are deprecated. Anyone have good resource to learn?