I'm working on building a website with React for the Frontend, Stripe for payments, and AWS Services for the backend. I wanted to build a subscription based model. I'm using AWS Cognito for Authentication, DynamoDB for the Database, and GraphQL for the API calls from the Frontend. I've been trying to understand how to allow some of these GraphQL calls based only to users that are subsribed. I'm not sure how to put these things together
I read somewhere about customizing the access token with custom values. But I'm not sure if it's the best way for my case, what if a signed up user tries to make one of these API calls and it succeeds even though he isn't subscribed
There could be several ways to go about this. The most important aspect to remember is you will want to use the access token to determine any authorization decisions. Since you also mentioned the app involves payments, just keep security top of mind at all times and ensure you met whatever security posture is appropriate for your needs.
One way for you to accomplish what you're trying to do (based solely on the information provided), is to use the groups in Amazon Cognito. As a very basic (and simple) example, you could have a "subscribedMembers" group in your Cognito user pool. If the user is a member of this group, the the issued access token after the user signs-in will contain a claim called cognito:groups
and will display the group membership. Here's an example of what that claim would look like in the access token:
"cognito:groups": [
"subscribedMembers"
],
You could create a process within your application that would allow anyone to sign-up and create an account. This general step would simply create an account for user for your app. Then you could create a process that would allow a user to become a subscribed user of your app- aligning to whatever your requirements are for this. As a part of becoming a subscribed user, they would be added the "subscribedMembers" Cognito group. For example, the backend of your app could call the AdminAddUserToGroup API for this process.
From the GraphQL perspective, let's assume you're using AWS AppSync, you could perform authorization decisions based on this group membership. As an example, you could have a request template that looked something like this:
#foreach($group in $context.identity.claims.get("cognito:groups"))
#if($group == "subscribedMembers")
#set($inCognitoGroup = true)
#end
#end
#if($inCognitoGroup)
{
"operation" : "GetData"
// INSERT YOUR LOGIC HERE
}
#else
$utils.unauthorized()
#end
A couple things to consider:
In addition to the above links, here's some additional resources to help: