re: GraphQL Tutorial - How to Manage Image & File Uploads & Downloads with AWS AppSync & AWS Amplify VIEW POST

re: I thank you for your answer Nader. Not sure I understood your entire answer, but I read in Amplify documentation that @auth(rules: [{ allow: owne...

1 No, the @auth rules only apply to the GraphQL API not the S3 bucket for storage. The rules you mentioned will allow anyone to read from the database, but the a user still needs to be authorized to read from the S3 bucket in some way, either signed in or not, via the Amplify SDK (sends a signed request, gets a signed url that is valid for a set period of time)

4 Yes, we support multi auth now (starting last week) from the CLI ->

5 You can update the API key by changing the expiration date in the local settings and run amplify push to update ->

Thanks for your answers. I have just 3 last questions, very important for me.

  1. I read that in an angular web app we can use two AmplifyAppsyncClient BUT it is impossible to do "amplify add auth" twice to get both api_key and a Cognito user pool. We just can insert an API KEY in aws-exports built from another project.

  2. In fact, there are more than 2 use cases. There are 3 use cases.
    _ public images (public for anyone, authenticated and unauthenticated users)
    _ private images (public access for authenticated users)
    _ sensitive private images (read/write only for one and only one user)
    You don't talk about the third use case. How to handle (with amplify-cli) that ?
    With custom cloudformations like this ?

Is there a JWT Cognito authentication mechanism to prevent requests to get objects that do not belong to the user ?

  1. We can store audio and video files too but how to read that in a web app ?
  1. Yes you can combine authorization rules. See details here

  2. Private access is built in to Amplify - See docs here referencing private access

  3. Yes, the process of storing would be the same, the only difference is you would need to deal with standard streaming / buffering protocols on the client that are agnostic to Amplify.

code of conduct - report abuse