Skip to content

Added cognito group parsing #3271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Added cognito group parsing #3271

wants to merge 1 commit into from

Conversation

@benjeater
Copy link

Description of changes

  • When resolving a child model from a parent model using the @auth directive to specify a dynamic group where the groupsField referenced is the same field as the @index directive being used by the parent model's @hasMany directive, an error occurs because the VTL template does not correctly parse the information from the context indentity.claims.cognito:groups
  • This commit adds correct parsing to the VTL generated in this circumstance
  • No linting fixes have been applied to the edited query file because I did not wish to pollute the PR with other changes
CDK / CloudFormation Parameters Changed
  • None

Issue #, if available

Description of how you validated changes

  • A test has been added to check the content of the VTL auth file generated
  • This change has been tested manually within an existing production project that I manage and has fixed an issue I was having with the authorisation.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@benjeater
Added cognito group parsing
c162471 
- When resolving a child model from a parent model using the `@auth` directive to specify a dynamic group where the `groupsField` referenced is the same field as the `@index` directive being used by the parent model's `@hasMany` directive, an error occurs because the VTL template does not correctly parse the information from the context `indentity.claims.cognito:groups`
- This commit adds correct parsing to the VTL generated in this circumstance
- A test has been added to check the content of the VTL auth file generated
- This change has been tested manually within an existing production project that I manage and has fixed an issue I was having with the authorisation.
- No linting fixes have been applied to the edited `query` file because I did not wish to pollute the PR with other changes
@benjeater benjeater requested a review from a team as a code owner April 27, 2025 17:14
@benjeater
Copy link
Author

Additional context:

The current code generates a VTL file that does not utilise the cognito:groups from the requester's claims. The previously generated files looked like this:

## [Start] Authorization Steps. **
$util.qr($ctx.stash.put(\\"hasAuth\\", true))
#set( $isAuthorized = false )
#if( $util.authType() == \\"User Pool Authorization\\" )
  #if( !$isAuthorized )
    #set( $primaryRole0 = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), null) )
    #if( !$util.isNull($primaryRole0) )


      #set( $ownerClaimsList0 = [] ) ## <--- here is the problem


      #if( (!$util.isNull($ctx.source.id)) && (($ctx.source.id == $primaryRole0) || $ownerClaimsList0.contains($ctx.source.id)) )
        #set( $isAuthorized = true )
        $util.qr($ctx.stash.put(\\"authFilter\\", null))
      #else
        #if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) )
          $util.qr($ctx.stash.connectionAttributes.put(\\"id\\", $primaryRole0))
          #set( $isAuthorized = true )
        #end
      #end
    #end
  #end
#end
#if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Authorization Steps. **

You will see that the variable $ownerClaimsList0 is set to an empty list, then is never updated with the values from the claims. The $ownerClaimsList0 variable is used on the next line to check if the id of the source (parent record from DB) is in the claims list. $primaryRole0 currently contains the claims list, but is used for a direct comparison with the id from the source (always false).

It feels like the $ownerClaimsList0 variable was supposed to be populated with a parsed version of the cognito:groups list because why would it otherwise exist?

The changes in this PR parse the cognito:groups into the $ownerClaimsList0 variable so that the authorisation check correctly works. I have added a VTL generated by the updated code below, along with comments to indicate the start and end of the change:

"## [Start] Authorization Steps. **
$util.qr($ctx.stash.put(\\"hasAuth\\", true))
#set( $isAuthorized = false )
#if( $util.authType() == \\"User Pool Authorization\\" )
  #if( !$isAuthorized )
    #set( $primaryRole0 = $util.defaultIfNull($ctx.identity.claims.get(\\"cognito:groups\\"), null) )
    #if( !$util.isNull($primaryRole0) )
      #set( $ownerClaimsList0 = [] )

      ## START OF CHANGE
      #if( $util.isString($primaryRole0) )
        #if( $util.isList($util.parseJson($primaryRole0)) )
          #set( $ownerClaimsList0 = $util.parseJson($primaryRole0) )
        #else
          #set( $ownerClaimsList0 = [$primaryRole0] )
        #end
      #else
        #set( $ownerClaimsList0 = $primaryRole0 )
      #end
      ## END OF CHANGE

      #if( (!$util.isNull($ctx.source.id)) && (($ctx.source.id == $primaryRole0) || $ownerClaimsList0.contains($ctx.source.id)) )
        #set( $isAuthorized = true )
        $util.qr($ctx.stash.put(\\"authFilter\\", null))
      #else
        #if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) )
          $util.qr($ctx.stash.connectionAttributes.put(\\"id\\", $primaryRole0))
          #set( $isAuthorized = true )
        #end
      #end
    #end
  #end
#end
#if( !$isAuthorized && $util.isNull($ctx.stash.authFilter) )
$util.unauthorized()
#end
$util.toJson({\\"version\\":\\"2018-05-29\\",\\"payload\\":{}})
## [End] Authorization Steps. **"

@benjeater
Copy link
Author

@AnilMaktala @phani-srikar you are both assigned to the ticket that I believe this ticket fixes. Could you please review this PR or assign it to the relevant person?

@benjeater
Copy link
Author

@ShadowCat567 Any chance you can approve this? I've seen you approving other PRs recently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benjeater