Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(conversation): require auth input for conversation directive #3007

Merged
merged 2 commits into from
Nov 11, 2024
Merged

feat(conversation): require auth input for conversation directive #3007

merged 2 commits into from
Nov 11, 2024

Conversation

atierian
Copy link
Member

@atierian atierian commented Nov 6, 2024
edited
Loading

Related PR

Problem

The @conversation directive implicitly uses owner auth (cognito user pool) for associated models and operations because it's the only supported option.

In the future, we may want to extend conversation routes to additional authorization strategies. When that time comes, we'll be forced to make a decision between:

  1. implicit owner auth by default, opt into new authorization strategies
    --- or ---
  2. breaking change (forcing explicit authorization definition)

Description of changes

We're not going to support additional authorization strategies by GA, but we are making the decision to go with 2. breaking change (forcing explicit authorization definition) already. We're doing this now while we can so that we don't have to make a difficult decision later.

  • Adds auth: ConversationAuth! argument to @conversation directive.

The only supported strategy and provider for now are owner and userPools:

input ConversationAuth {
  strategy: ConversationAuthStrategy!
  provider: ConversationAuthProvider!
}
enum ConversationAuthStrategy {
  owner
}
enum ConversationAuthProvider {
  userPools
}

Why not just use @auth?

We could, but that would involve adding a check in the auth transformer that skipped any of it's work if the field also contained a @conversation directive. I'm not ok with doing that.

CDK / CloudFormation Parameters Changed

Issue #, if available

Description of how you validated changes

Checklist

  • PR description included
  • yarn test passes
  • E2E test run linked
  • Tests are changed or added
  • Relevant documentation is changed or added (and PR referenced)
  • New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
  • Any CDK or CloudFormation parameter changes are called out explicitly

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@atierian atierian mentioned this pull request Nov 6, 2024
Merged
@atierian atierian force-pushed the ai.conversation-require-auth branch from 91177f2 to f0590b6 Compare November 6, 2024 17:41
@atierian atierian marked this pull request as ready for review November 6, 2024 17:41
@atierian atierian requested a review from a team as a code owner November 6, 2024 17:41
palpatim
palpatim approved these changes Nov 8, 2024
View reviewed changes
Copy link
Member

@palpatim palpatim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed with @atierian. This seems to be the best of the available options, based on how we have to shuttle auth payloads between clients, AppSync, Lambdas, and tools.

It's a bit unfortunate that we have to have a special-case auth case for this directive, but it's mitigated by the fact that the Gen 2 API acts like a "normal" authorization modifier. That makes the GraphQL directive itself an implementation detail of the happy path; and an escape hatch for customers who use CDK rather than Gen 2.

Approved for both implementation and API bar raiser.

@atierian atierian merged commit 39cca3f into main Nov 11, 2024
7 checks passed
@atierian atierian deleted the ai.conversation-require-auth branch November 11, 2024 17:28
@atierian atierian mentioned this pull request Nov 12, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dpilch dpilch dpilch approved these changes

@palpatim palpatim palpatim approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@atierian @palpatim @dpilch