英文:
How to place users into specific authentication pools on sign up with AWS Amplify?
问题
这似乎应该是大多数网站的常见功能,但我没有看到任何相关文档。我的网站有三个使用者群体:
- 客户
- 教师
- 管理员
当客户使用 Authenticator 组件注册时,它目前会将用户添加到 Cognito 用户池,但不会添加到任何特定的群组。我想捕获这个注册请求,然后在“客户”池中创建一个新的 Cognito 用户。
我有一个 GraphQL 模式,允许根据 Cognito 群组访问数据:
type ClassGroup @model @auth(rules: [{allow: public, operations: [read]}, {allow: groups, groups: ["admins"], operations: [read, create, update, delete]}]) {
id: ID!
className: String
semesterPrice: Float
}
为了进行该群组更改,我必须在 Amplify 控制台内手动执行:
我如何实现用户和数据可访问性的这种分离?如何允许一组用户访问某些数据,而其他用户访问其他数据?
英文:
I assume this is should be a common feature of most websites, but I have seen no documentation for it. I have a website that has three groups of people that use it:
- Clients
- Teachers
- Admins
When a client signs up with the Authenticator Component, it currently adds the user to the Cognito pool, but not to any specific group. I would like to capture this sign-up request, then create a new cognito user inside the Client pool.
I have a graphql schema that allows access to data based on the cognito group:
type ClassGroup @model @auth(rules: [{allow: public, operations: [read]}, {allow: groups, groups: ["admins"], operations: [read, create, update, delete]}]) {
id: ID!
className: String
semesterPrice: Float
}
To make that group change, I have to do it manually inside the Amplify Console:
I
How can I accomplish this separation of users and accessibility inside AWS? How can I allow one group of users to access certain data and other users to access other data?
答案1
得分: 1
你的GraphQL模式可以如下所示:
type EmployerAccount
@model
@auth(
rules: [
{ allow: owner, operations: [create, update, delete, read] }
{ allow: private, operations: [read] }
{ allow: public, provider: iam, operations: [read] }
]
) {
...
}
你可以在Cognito池中添加一个custom:group属性,像这样:
await Auth.signUp({
username: email,
password,
attributes: {
"custom:group": "Employer"
},
});
然后,你可以在Cognito池上使用Post Confirmation Lambda函数将用户发送到特定的表。
CLI:
运行 amplify update auth 并将这个函数添加为触发器。
Lambda函数
/**
* @type {import('@types/aws-lambda').APIGatewayProxyHandler}
*/
var dynamodb = require("aws-sdk/clients/dynamodb");
var ddb = new dynamodb({ region: "eu-west-1" });
exports.handler = async (event, context) => {
console.log("EVENT", event);
console.log("CONTEXT", context);
let date = new Date();
// 由于这是一个PostConfirmation触发器,它可以被其他事件触发
// 我们只想在triggerSource为PostConfirmation_ConfirmSignUp时运行以下代码
// 另一个可能是"forgot_password"(我们不想运行此代码)
const valueTrigger = event.triggerSource;
const confirmSignUp = "PostConfirmation_ConfirmSignUp";
// 如果triggerSource为PostConfirmation_ConfirmSignUp,那么我们知道用户刚刚注册
if (valueTrigger === confirmSignUp) {
// 只有当用户具有sub(唯一用户ID)时才运行下面的代码
if (event.request.userAttributes.sub) {
// 我们将使用他们的自定义组来确定需要传递给DynamoDB调用的参数
const paramsToUse = event.request.userAttributes["custom:group"] === "Employer" ? candidateParams : employerParams;
// 这些是我们需要传递给DynamoDB的初始用户创建的参数
let params = {
Item: {...},
TableName:
event.request.userAttributes["custom:group"] === "Candidates"
? process.env[TABLE_NAME]
: process.env[TABLE_NAME],
};
try {
await ddb.putItem(params).promise();
} catch (err) {
console.error("ERROR", err);
}
console.log("Success: Everything executed correctly");
context.done(null, event);
} else {
console.error("ERROR: Nothing was written to DynamoDB");
context.done(null, event);
}
} else {
console.log("Not Confirm Signup, thus not running the code");
context.done(null, event);
}
};
希望这些信息对你有帮助。
英文:
Your graphql Schema can look like this:
type EmployerAccount
@model
@auth(
rules: [
{ allow: owner, operations: [create, update, delete, read] }
{ allow: private, operations: [read] }
{ allow: public, provider: iam, operations: [read] }
]
) {
...
}
You can add a custom:group attribute in your cognito pool like this:
await Auth.signUp({
username: email,
password,
attributes: {
"custom:group": "Employer"
},
});
You can then use a Post Confirmation Lambda Function on your Cognito pool to send them to specific tables.
CLI:
Run amplify update auth and add this as a trigger.
Lambda Function
/**
* @type {import('@types/aws-lambda').APIGatewayProxyHandler}
*/
var dynamodb = require("aws-sdk/clients/dynamodb");
var ddb = new dynamodb({ region: "eu-west-1" });
exports.handler = async (event, context) => {
console.log("EVENT", event);
console.log("CONTEXT", context);
let date = new Date();
// As this is a PostConfirmation trigger, it can be triggered by other events
// We only want to run the code below if the triggerSource is PostConfirmation_ConfirmSignUp
// The other one is possibly "forgot_password" (which we don't want to run this code for)
const valueTrigger = event.triggerSource;
const confirmSignUp = "PostConfirmation_ConfirmSignUp";
// If the triggerSource is PostConfirmation_ConfirmSignUp, then we know that the user has just signed up
if (valueTrigger === confirmSignUp) {
// We only want to run the code below if the user has a sub (unique user ID)
if (event.request.userAttributes.sub) {
// I will use their custom group to determine which parameters need to be passed into the DynamoDB call
const paramsToUse = event.request.userAttributes["custom:group"] === "eMPLOYER" ? candidateParams : employerParams;
// These are the parameters we need to pass to DynamoDB for the initial user creation
let params = {
Item: {...},
TableName:
event.request.userAttributes["custom:group"] === "Candidates"
? process.env[TABLE_NAME]
: process.env.[TABLE_NAME],
};
try {
await ddb.putItem(params).promise();
} catch (err) {
console.error("ERROR", err);
}
console.log("Success: Everything executed correctly");
context.done(null, event);
} else {
console.error("ERROR: Nothing was written to DynamoDB");
context.done(null, event);
}
} else {
console.log("Not Confirm Signup, thus not running the code");
context.done(null, event);
}
};
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论