DEV Community

GraphQL Recipes (V2) - Building APIs with GraphQL Transform

Nader Dabit on August 08, 2019

This is V2 of this post, updated with new schemas and the most up to date directives from Amplify. Cover photo by Tarn Nguyen on Unsplash To vie...

Read full post

Herman Starikov • Aug 9 '19

Wow 🤩great post!

TIL about @key and @function.

One thing that I have always been a little confused about is @auth. What @auth setting makes data publicly readable (like on reddit/instagram), but otherwise protected? Do I always need to register and login to access data?

I see that reddit post does not have @auth at all, does that mean it's completely public, anybody can read and write?

And the reddit comment has @auth(rules: [{allow: owner, operations: [create, update, delete]}]), why is it different from a post?

Thank you for taking time to come up with all of these examples :D

Nader Dabit • Aug 9 '19

Hey Herman, thanks for pointing this out! The Post type should indeed also have auth rules. The operations: [create, update, delete] setting will allow anyone to query & view the posts, but only the creator to be able to update and delete.

I've updated the post to reflect this change.

Timothy Vernon • Aug 10 '19

I've been setting up a project with AWS Amplify and really enjoying the experience - especially the cognito for sign up/in. 🧡

However, I ran into a roadblock with amplify add api because it assumes that you want to start with a new DynamoDB table. In the case of having an existing DynamoDB table that I'd like to use, I haven't been able to find anything that works to make this connection happen. Are there any docs for this scenario?

sakhmedbayev • Nov 6 '19

Hi Nader! Thanks for the post!

I think there is an error in the E-commerce App's schema. This definition:

 @auth(rules: [
    {allow: groups, groups: ["Admin"], operations: [create, update, delete]}
  ])

on Product type will not allow Users to read "2. View products", even "Admin" group will not be able to do that. I think auth transformer should read the following:

@auth(
    rules: [
      { allow: groups, groups: ["Admin"], operations: [read, create, update, delete] }
      { allow: public, operations: [read] }
    ]
  )

rosswilliams • Aug 11 '19

type Customer
  @model
  @auth(rules: [
    { allow: owner }, { allow: groups, groups: ["Admin"]}
  ]) {
  id: ID!
  name: String!
  email: String!
  address: String
}

Subscriptions is not turned off for this model. Any user can subscribe to onCreateCustomer and collect name, email, and address of all customers. I'm afraid we will start seeing S3 bucket type data leaks from people leaving subscriptions on.

rosswilliams • Aug 11 '19

type Report @model
  @auth(rules: [
    {allow: owner, operations: [create, update, delete]},
    {allow: groups, groups: ["Admin"]}
  ])

This model also has subscriptions enabled. I dont think you intend for everyone to subscribe to the Report object.

Nader Dabit • Aug 11 '19

This typically would be behind a separate dashboard only accessible by admins, and real-time updates are useful for this type of dashboard. The subscriptions themselves would typically be behind some custom authorization rules. I've updated the post to mention this in the introduction for those unaware of how this may work.

You can set authorization rules on subscriptions in AppSync, check out docs.aws.amazon.com/appsync/latest... to learn more about them.

Thanks for your feedback.

Nader Dabit • Aug 11 '19 • Edited

Yes, you may not want subscriptions enabled here unless you have an admin dashboard of some sort.

If you look at the expanded GraphQL schema that is created by Amplify, you will see all of the operations and subscriptions that are enabled and can modify the base schema as you see fit. For the purposes of this tutorial, I'll update this to have subscriptions disabled for those who may not be aware.

rosswilliams • Aug 11 '19

Looking at the expanded schema won't tell you that subscriptions don't respect @auth rules. You would need to carefully read the documentation or understand the generated vtl. Going by published amplify projects, "those who may not be aware" seems to be a large group of people. Making these sample schemas secure would help inform people why subscriptions shouldn't be left on without understanding the consequences.

Sotiris Maipas • Oct 28 '19

Thanks for your great post Nader!

I have one question though.
I have the following use-case: I have Users collection and I want to be able to get a user by id or by email.
Using @key is it possible to define two or more different custom indexes or I have to setup a custom resolver?

Dina • Jan 14 '20

Great post Nader,

I was wondering how does the sort by time work in case of the events app since we are declaring the time field as a string and appsync or dynamodb is not told how to sort based on the field.

Johan Steenkamp • Oct 11 '20

Are DynamoDB reserved words allowed in GraphQL types? Sometimes my Amplify build fails with a GraphQL error pointing to a type with reserved name. However this same build would have worked before. DynamoDB reserved words appear in your examples (User) so I'm still not sure what causes the issue.
docs.aws.amazon.com/amazondynamodb...

Dina • Jan 14 '20

Another question around Reddit Clone. Where do I add the custom resolver and what is the naming convention?

Usman Suleiman • Aug 9 '19

I noticed in the Instagram clone you used both "operations" and "queries" arguments. Is there any reason?

Nader Dabit • Aug 9 '19

Hey Usman, yes when I originally published this I used queries: null to specify some authorization rules. After publishing the post, I decided to refactor to use the operations array because the queries rule will be deprecated for authorization rules.