Authenticate a mutation via a Custom Lambda Authorizer on AppSync

Question

I'm trying to create a fully AppSync managed API.

I'm using a Custom Lambda Authorizer and I want to authenticate some mutations. I've read this very interesting post on nested resolvers and this stackoverflow post but I still can't find a solution to my problem.

So, I have a mutation, say createReview that should be solved by a DynamoDB resolver and I want my Custom Lambda Authorizer to both authorize and authenticate createReview request.

How should this be organized?

I know I could either solve my createReview request by using a Lambda resolver, or that I could use AWS Cognito as Authorizer, but I'm trying to achieve right what I've asked.

Thank you for any advice

Answer 1

The post I had linked was already giving enough information to solve the problem.

I was stubbornly hooked on the usage of mutation because I didn't have enough knowledge on GraphQL to know what makes it different from query.

Abandoning mutation and using query is enough to solve the problem.

So I have a

type Object {
   field1: String!
   field2: String
}

and a

type AuthObject {
    field1: String!
    field2: String
    data: Object
}

my query is like

type Query {
    createObject (
        field1: String!
        field2: String
    ) : AuthObject
}

and an authenticator lambda function, to which all the arguments and the authentication token are passed. This function's job is to validate the token and, if valid, to return all the arguments. In the output mapping template if the lambda failed to authenticate GraphQL raises an unauthenticated message, otherwise returns the arguments.

Then, I have attached these resolvers:

createObject => a resolver that calls the lambda and maps input and output

AuthObject.data:Object => a dynamodb resolver that calls PutItem using `$ctx.source` to retrieve the arguments.

It's actually the same as the hackernoon post, I simply used PostItem instead of GetItem.