I'm building a post office app with React and AWS. I am currently building my GraphQL API, I know that I can use @auth decorators in my graphQL scheme which allows me to prevent some users from reading properties depending on their auth status and group.
I was wondering if it is possible to add these @auth rules to a mutation? My purpose is to prevent users which are NOT in the Admin or Worker groups to access my API mutation for deleting packages. If it is not possible, what would be the best approach to make a specific mutation accessible by only specific groups (the groups are stored in the AWS Coginto user polls)?
You can, indeed, restrict access to mutations for a given @model to a known set of groups using the @auth directive. For example, to allow only administrators and employees access to the delete operation for a given model, you might try something like this:
type Package
@model
@auth(
rules: [
{ allow: groups, groups: ["Admin", "Workers"], operations: [delete] }
]
) {
id: ID!
}
Here, when calling the API, the operation will fail for any user not enrolled in the admin or employee groups. Check out the documentation on Static Group Authorization and Dynamic Group Authorization for more information.