re: GraphQL Tutorial - How to Manage Image & File Uploads & Downloads with AWS AppSync & AWS Amplify VIEW POST

re: Hi Nader, Your tutorial is interesting. I have 3 questions : You do mention that S3Object images are private but I don't understand why you do ...
  1. So there are two parts to accessing the S3Object, one from the bucket itself and two from the actual API. Typically the best security practice is to leave all images secure and only access them using a signed URL. The example I gave with private images is typically the use case I recommend. If we use @auth rules for owner, only the user uploading them image would be able to view it but in reality we want it to be available to any user of the app. Sure, we could set queries to null and allow anyone to access the location that of the image, but either way we ideally only want users accessing the image directly from our app to be successful.

  2. We actually have equal support for Angular & Vue. We now also have an advocate like me on our team who specializes in angular but does not write as much content, he's busy traveling around giving more workshops and talks. I think we see much more articles talking about React because I am very visible and active in that community, but in reality there is pretty much feature parity between the frameworks.

  3. I don't know the answer to this. If this is a feature you'd like, I'd suggest submitting an issue in the GitHub repo and we can see about putting it on our roadmap.


I thank you for your answer Nader.

  1. Not sure I understood your entire answer, but I read in Amplify documentation that @auth(rules: [{ allow: owner, operations: [create, update, delete] }]) does allow other users to read owner's images with a public S3 bucket. Isn't it ?

  2. I do not agree with you on this point. And I do not see what UI prebuilt components are for. It is impossible to insert in a professional web app.

  3. Observables are much more practical and powerful than Promises.

  4. Is it possible to generate both Api_key and Cognito Auth with Amplify-CLI ? To finally get both elements in aws-exports.ts ?

  5. I read that AWS AppSync API keys expire seven days after creation, and using API KEY authentication is only suggested for development. So, how to set up permanent public datas ?

1 No, the @auth rules only apply to the GraphQL API not the S3 bucket for storage. The rules you mentioned will allow anyone to read from the database, but the a user still needs to be authorized to read from the S3 bucket in some way, either signed in or not, via the Amplify SDK (sends a signed request, gets a signed url that is valid for a set period of time)

4 Yes, we support multi auth now (starting last week) from the CLI ->

5 You can update the API key by changing the expiration date in the local settings and run amplify push to update ->

Thanks for your answers. I have just 3 last questions, very important for me.

  1. I read that in an angular web app we can use two AmplifyAppsyncClient BUT it is impossible to do "amplify add auth" twice to get both api_key and a Cognito user pool. We just can insert an API KEY in aws-exports built from another project.

  2. In fact, there are more than 2 use cases. There are 3 use cases.
    _ public images (public for anyone, authenticated and unauthenticated users)
    _ private images (public access for authenticated users)
    _ sensitive private images (read/write only for one and only one user)
    You don't talk about the third use case. How to handle (with amplify-cli) that ?
    With custom cloudformations like this ?

Is there a JWT Cognito authentication mechanism to prevent requests to get objects that do not belong to the user ?

  1. We can store audio and video files too but how to read that in a web app ?
  1. Yes you can combine authorization rules. See details here

  2. Private access is built in to Amplify - See docs here referencing private access

  3. Yes, the process of storing would be the same, the only difference is you would need to deal with standard streaming / buffering protocols on the client that are agnostic to Amplify.

code of conduct - report abuse