I seemed to have gotten this working with one question:
Type:
type Mutation {
newPost(
name: String!
description: String!
published: Boolean!
): ID! @lambda
}
Lambda:
async function newPost({args, graphql}) {
const newArgs = {
name: args.name,
description: args.description,
nameKebab: args.name.replace(/\s/g,"-").toLowerCase(),
published: args.published
};
const results = await graphql(`mutation addPost($post: AddPostInput!) {
addPost(input: [$post]) {
post {
id
name
description
published
}
}
}`, {"post": newArgs});
return results.data.addPost.post[0].id
}
self.addGraphQLResolvers({
"Mutation.newPost": newPost
});
Mutation:
private NEW_POST = gql`
mutation newPost($name: String!, $description: String!, $published: Boolean!) {
newPost(name: $name, description: $description, published: $published)
}
`;
Security:
type Post @withSubscription @auth(
add: { rule: "{$DENIED: { eq: \"DENIED\" } }"}
){
id: ID!
name: String! @search(by: [fulltext])
description: String! @search(by: [fulltext])
nameKebab: String @search(by: [exact])
published: Boolean!
}
Please let me know any way to simplify the mutation as there is only one real line of code that matters here.
This security part obviously does not work, as it locks any new adds… This is the question I do not understand. If I cannot prevent someone from running addPost directly, there is not point in creating any of this on the backend.
How could this be done security wise?
Thanks,
J