DEV Community

Cover image for GraphQL Recipes (V2) - Building APIs with GraphQL Transform

GraphQL Recipes (V2) - Building APIs with GraphQL Transform

Nader Dabit on August 08, 2019

This is V2 of this post, updated with new schemas and the most up to date directives from Amplify. Cover photo by Tarn Nguyen on Unsplash To vie...
Collapse
 
hermanya profile image
Herman Starikov

Wow 🤩great post!

TIL about @key and @function.

One thing that I have always been a little confused about is @auth. What @auth setting makes data publicly readable (like on reddit/instagram), but otherwise protected? Do I always need to register and login to access data?

I see that reddit post does not have @auth at all, does that mean it's completely public, anybody can read and write?

And the reddit comment has @auth(rules: [{allow: owner, operations: [create, update, delete]}]), why is it different from a post?

Thank you for taking time to come up with all of these examples :D

Collapse
 
dabit3 profile image
Nader Dabit

Hey Herman, thanks for pointing this out! The Post type should indeed also have auth rules. The operations: [create, update, delete] setting will allow anyone to query & view the posts, but only the creator to be able to update and delete.

I've updated the post to reflect this change.

Collapse
 
tvthatsme profile image
Timothy Vernon

I've been setting up a project with AWS Amplify and really enjoying the experience - especially the cognito for sign up/in. 🧡

However, I ran into a roadblock with amplify add api because it assumes that you want to start with a new DynamoDB table. In the case of having an existing DynamoDB table that I'd like to use, I haven't been able to find anything that works to make this connection happen. Are there any docs for this scenario?

Collapse
 
sakhmedbayev profile image
sakhmedbayev

Hi Nader! Thanks for the post!

I think there is an error in the E-commerce App's schema. This definition:

 @auth(rules: [
    {allow: groups, groups: ["Admin"], operations: [create, update, delete]}
  ])

on Product type will not allow Users to read "2. View products", even "Admin" group will not be able to do that. I think auth transformer should read the following:

@auth(
    rules: [
      { allow: groups, groups: ["Admin"], operations: [read, create, update, delete] }
      { allow: public, operations: [read] }
    ]
  )
Collapse
 
rosswilliams profile image
rosswilliams
type Customer
  @model
  @auth(rules: [
    { allow: owner }, { allow: groups, groups: ["Admin"]}
  ]) {
  id: ID!
  name: String!
  email: String!
  address: String
}
Enter fullscreen mode Exit fullscreen mode

Subscriptions is not turned off for this model. Any user can subscribe to onCreateCustomer and collect name, email, and address of all customers. I'm afraid we will start seeing S3 bucket type data leaks from people leaving subscriptions on.

Collapse
 
rosswilliams profile image
rosswilliams
type Report @model
  @auth(rules: [
    {allow: owner, operations: [create, update, delete]},
    {allow: groups, groups: ["Admin"]}
  ])

This model also has subscriptions enabled. I dont think you intend for everyone to subscribe to the Report object.

Collapse
 
dabit3 profile image
Nader Dabit

This typically would be behind a separate dashboard only accessible by admins, and real-time updates are useful for this type of dashboard. The subscriptions themselves would typically be behind some custom authorization rules. I've updated the post to mention this in the introduction for those unaware of how this may work.

You can set authorization rules on subscriptions in AppSync, check out docs.aws.amazon.com/appsync/latest... to learn more about them.

Thanks for your feedback.

Collapse
 
dabit3 profile image
Nader Dabit • Edited

Yes, you may not want subscriptions enabled here unless you have an admin dashboard of some sort.

If you look at the expanded GraphQL schema that is created by Amplify, you will see all of the operations and subscriptions that are enabled and can modify the base schema as you see fit. For the purposes of this tutorial, I'll update this to have subscriptions disabled for those who may not be aware.

Collapse
 
rosswilliams profile image
rosswilliams

Looking at the expanded schema won't tell you that subscriptions don't respect @auth rules. You would need to carefully read the documentation or understand the generated vtl. Going by published amplify projects, "those who may not be aware" seems to be a large group of people. Making these sample schemas secure would help inform people why subscriptions shouldn't be left on without understanding the consequences.

Collapse
 
smaipas profile image
Sotiris Maipas

Thanks for your great post Nader!

I have one question though.
I have the following use-case: I have Users collection and I want to be able to get a user by id or by email.
Using @key is it possible to define two or more different custom indexes or I have to setup a custom resolver?

Collapse
 
dnafication profile image
Dina

Great post Nader,

I was wondering how does the sort by time work in case of the events app since we are declaring the time field as a string and appsync or dynamodb is not told how to sort based on the field.

Collapse
 
johanstn profile image
Johan Steenkamp

Are DynamoDB reserved words allowed in GraphQL types? Sometimes my Amplify build fails with a GraphQL error pointing to a type with reserved name. However this same build would have worked before. DynamoDB reserved words appear in your examples (User) so I'm still not sure what causes the issue.
docs.aws.amazon.com/amazondynamodb...

Collapse
 
dnafication profile image
Dina

Another question around Reddit Clone. Where do I add the custom resolver and what is the naming convention?

Collapse
 
devusman profile image
Usman Suleiman

I noticed in the Instagram clone you used both "operations" and "queries" arguments. Is there any reason?

Collapse
 
dabit3 profile image
Nader Dabit

Hey Usman, yes when I originally published this I used queries: null to specify some authorization rules. After publishing the post, I decided to refactor to use the operations array because the queries rule will be deprecated for authorization rules.

Collapse
 
davidbiller profile image
David Biller

Mhhhh
i guess in all the schemas, there is no way to check if the user has liked the post already. So we cant show this in the GUI.

Collapse
 
bwinkers profile image
Brian Winkers

Thanks for updating, the hardest part of learniong Amplify or AppSync development right now is outdated examples.

Collapse
 
mtopolov profile image
Maxime Topolov

You should try it on code.store a GraphQL back-end as a service we've just released few days ago :)

Collapse
 
bartdev profile image
Wojtek

this is v1 though right? they have new directives now theses are deprecated. Anyone have good resource to learn?