Search code examples
amazon-cognitoaws-appsync

Appsync Authorization for Non Signed In Users

Im using Appsync in a Vue application and have Cognito user pools setup for users to be able to sign-in to my application. However, there are some pages on my app where a non-signed in user should be able to view only ie: "think: reading answers on stack overflow" , however there are some cases where users need to be able to add a comment to that page and need to sign in to edit it.

On my API in Appsync I have the authorization set to "Amazon Cognito User Pool" and the default action set to "Allow" but then how can I make it so non-cognito users can still view a page? What combination of settings should I use?

Solution

  • Annoyingly AppSync does not support multiple authentication methods, and as you've noticed Cognito UserPool integration requires users to have signed in before they can access the graphql endpoint.

    There are a few workarounds, however none of them are that pretty:

    • Deploy two versions- one with full functionality using UserPools and one open version using API Key (that you embed into the client)
    • Handle authentication yourself. Use the IAM Role security for App Sync, and instead of connecting directly to the graphql endpoint, create a proxy lambda in API Gateway that either verifies UserPool users or allows limited access with no credentials.
    • Create a no-user "user" in your UserPool with known (e.g. in your app, or from an endpoint) credentials. The onus would then be on you to check if your user is this user when responding to secured mutations/queries. One way of doing this more safely might be to add a custom attribute "custom:insecure" which you can check for on non-open endpoints.
    • Use the "viewer" pattern (check Facebook's implementation). Make your GraphQL Schema open by default (e.g. known API Key) and have all of your queries/mutations take the first parameter of viewer. This might be the access token that Cognito returns on authentication. Each resolver would then be responsible for determining if the token is valid (e.g.cognito::getUser) or access is allowed without a viewer defined.

    Although it initially sounds like the hardest, I would recommend my first solution. There are ways of automating AppSync deployments, and it makes a clear distiniction between what's open and what's secured on your schema.