Multi-tenant (organisation) support for GQL APIs #949
Labels
api-graphql
duplicate
This issue or pull request already exists
feature-request
New feature or request
transferred
Is your feature request related to a problem? Please describe.
I've set up a prototype API for a SaaS product that involves having multiple organisations. To move forward we need to ensure that an organisations data is protected from other organisations being able to access it both in the Frontend and through the APIs.
The frontend is straight-forward enough, API we're not sure how best to proceed. We know we can create custom resolvers but we'd lose some of the nice automation Amplify provides.
We could create a "middleware" REST API to handle all requests and ensure the user is part of the tenant or organisation that the data requested belongs to. If successful we can then forward it to the GQL APIs through the App Sync SDK, otherwise we could return 401. This solution would allow us to keep the automation but would add additional processing time and cost to each request.
Before moving ahead with one of these options, it'd be great to know:
Describe the solution you'd like
Ideally, it'd be great to see this as part of the
@auth
directive. We can restrict the entire model to certain Cognito groups, but if we could restrict the response data based on a custom Cognito field that is mapped to a model field that would be perfect.For Example:
Within cognito we have a
custom:tenantID
field. Then within the GQL schema we can have:Describe alternatives you've considered
I've thought about rather than custom fields, the user pools within Cognito could have a permanent tenant field removing the need for the custom mapping ("custom:tenantID" -> "tenantID"). However, not sure if that would raise internal complications having to make changes to both the Amplify and the Cognito services.
For example:
Additional Context
Amplify has been fantastic to work with. It's been amazing getting the prototype up and running so quickly and it'd be great to move forward with it!
The text was updated successfully, but these errors were encountered: