Will it be a good idea to create a completely "serverless" app using Appsync/Firebase when fine-grained access control is necessary?
I tried to build an app with Firebase, and then with AppSync and it feels like these solutions are kind of crippling me, and I started to think that maybe im still thinking in the "old" way of solving the problem, and that's what is crippling me and not the tools.
Where im struggling is with access control. Firebase has "Firebase rules" and AppSync has "VTL"(Apache Velocity Template Language), both offer relatively good solutions, "Firebase rules" is easier and cleaner, but VTL is more robust because it is basically a programing language.
The problem is that im trying to give the user access to documents on the database based on a "collection/table" of permissions. So each user has a document inside that "collection/table" with fine-grained permissions, and I need to read that document in order to know if he has access to the resource he is trying to read/write.
With both, firebase and AppSync I can read the DB, but both have their limits:
So, in the end, it feels like both solutions drive me into having another layer before them in order to do more complex stuff, so it can either be functions or an entire app. But then, why do I need all of their APIs? Having another layer before Appsync/Firebase basically forces me to reimplement GraphQL/Firebases API, and then, why not build it using another tool?
So, am I doing it all wrong? Will it be better to have an app deployed on AppEngine or a similar solution(and thus losing the advantages of functions)?
Note: Im sorry if after all this reading its still not clear, English is my first language.
AWS AppSync added Pipeline Resolvers recently, which sounds like a perfect solution for your use case. You compose the GraphQL resolver with a chain of Resolver Functions. Your auth check against the document collection table can be implemented as a reusable function.
Take a look at the Pipeline Resolvers tutorial to see if it meets your needs.