我将Amplify用于Web应用程序(应用程序A),但我还有另一个node.js应用程序(应用程序B),我想使用它将一些数据写入DynamoDB表.应用程序B没有前端,因此,我需要应用程序B能够有一个未经授权的访问(或找到一种方法来验证在后端.
我做了以下工作:
- 已初始化放大
- 建立Cognito应用程序池
- 已在Team-Provider-info.json中列出的unauth角色上配置各种策略
- 已将取消身份验证角色附加到联合身份策略
- 同时try 了AWS_APPSYNC_AUTHENTIONTYPE":"Amazon_Cognito_User_Pools"和"IAM"
- 将模型上的身份验证规则设置为公共
- RAN放大更新身份验证以设置未经身份验证的访问
然而,在Amplify CLI中和在AppSync控制台中使用查询时,我仍然收到错误"Not Authorated to Access ListPersonalInfos on type Query".
下面是我的身份验证解析器VTL和CloudWatch日志(log)
Auth Resolver VTL个
## [Start] Authorization Steps. **
$util.qr($ctx.stash.put("hasAuth", true))
#set( $isAuthorized = false )
#set( $primaryFieldMap = {} )
#if( $util.authType() == "API Key Authorization" )
#end
#if( $util.authType() == "IAM Authorization" )
#set( $adminRoles = ["ap-southeast-2_YNRFmtdr2_Full-access/CognitoIdentityCredentials","ap-southeast-2_YNRFmtdr2_Manage-only/CognitoIdentityCredentials"] )
#foreach( $adminRole in $adminRoles )
#if( $ctx.identity.userArn.contains($adminRole) && $ctx.identity.userArn != $ctx.stash.authRole && $ctx.identity.userArn != $ctx.stash.unauthRole )
#return($util.toJson({}))
#end
#end
$util.unauthorized()
#end
#if( $util.authType() == "User Pool Authorization" )
#if( !$isAuthorized )
#set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"GoThriveAdmin"}] )
#foreach( $groupRole in $staticGroupRoles )
#set( $groupsInToken = $util.defaultIfNull($ctx.identity.claims.get($groupRole.claim), []) )
#if( $groupsInToken.contains($groupRole.entity) )
#set( $isAuthorized = true )
#break
#end
#end
#end
#if( !$isAuthorized )
#set( $authFilter = [] )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), null) )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), null)) )
#if( !$util.isNull($ownerClaim0) && !$util.isNull($currentClaim1) )
#set( $ownerClaim0 = "$ownerClaim0::$currentClaim1" )
#if( !$util.isNull($ownerClaim0) )
$util.qr($authFilter.add({"owner": { "eq": $ownerClaim0 }}))
#end
#end
#set( $role0_0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), null) )
#if( !$util.isNull($role0_0) )
$util.qr($authFilter.add({"owner": { "eq": $role0_0 }}))
#end
#set( $role0_1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), null)) )
#if( !$util.isNull($role0_1) )
$util.qr($authFilter.add({"owner": { "eq": $role0_1 }}))
#end
#if( !$authFilter.isEmpty() )
$util.qr($ctx.stash.put("authFilter", { "or": $authFilter }))
#end
#end
#end
#if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) )
$util.unauthorized()
#end
$util.toJson({"version":"2018-05-29","payload":{}})
## [End] Authorization Steps. **
CloudWatch Logs个
{
"logType": "RequestMapping",
"path": [
"listPersonalInfos"
],
"fieldName": "listPersonalInfos",
"resolverArn": "arn:aws:appsync:ap-southeast-2:771661204178:apis/6pu5wf3wvfcr7dh3zribqhp6ua/types/Query/resolvers/listPersonalInfos",
"functionName": "QuerygetPersonalInfoauth0Function",
"requestId": "1817ebd7-80d3-48da-93d3-471f37aa665a",
"context": {
"arguments": {},
"prev": {
"result": {}
},
"stash": {
"authRole": "arn:aws:sts::771661204178:assumed-role/amplify-talentui-dev-122653-authRole/CognitoIdentityCredentials",
"conditions": [],
"connectionAttributes": {},
"fieldName": "listPersonalInfos",
"hasAuth": true,
"metadata": {
"dataSourceType": "AMAZON_DYNAMODB",
"apiId": "6pu5wf3wvfcr7dh3zribqhp6ua"
},
"tableName": "PersonalInfo-6pu5wf3wvfcr7dh3zribqhp6ua-dev",
"typeName": "Query",
"unauthRole": "arn:aws:sts::771661204178:assumed-role/amplify-talentui-dev-122653-unauthRole/CognitoIdentityCredentials"
},
"outErrors": []
},
"fieldInError": true,
"errors": [
"Not Authorized to access listPersonalInfos on type Query"
],
"parentType": "Query",
"graphQLAPIId": "6pu5wf3wvfcr7dh3zribqhp6ua",
"functionArn": "arn:aws:appsync:ap-southeast-2:771661204178:apis/6pu5wf3wvfcr7dh3zribqhp6ua/functions/2zc46rgvzjgn3osvltkfuz4g3y"
}