AWS Amplify: Cognito Authorization for Lambda REST API (Part 3)
With the Lambda layer from Part 1 and the Lambda function from Part 2, let’s finally synthesize everything into a Cognito-authorized REST API that can be called from our client to perform cascade deletion on a table in our GraphQL API!
With our Lambda layer finished and our Clothe serverless express Lambda function constructed, let’s finally get to adding the REST API to call the cascade deletion function for our Clothes table from our client.
Add the API from the command line:
$ amplify add api
? Select from one of the below mentioned services: REST
✔ Provide a friendly name for your resource to be used as a label for this category in the project: · <my-wardrobe-app>api
✔ Provide a path (e.g., /book/{isbn}): · /clothe/{clotheId}
✔ Choose a Lambda source · Use a Lambda function already added in the current Amplify project
✔ Choose the Lambda function to invoke by this path · clotheAPI
✔ Restrict API access? (Y/n) · yes
✔ Restrict access by: · Auth/Guest Users
✔ Who should have access? · Authenticated users only
✔ What permissions do you want to grant to Authenticated users? · delete
✔ Do you want to add another path? (y/N) · no
✅ Successfully added resource <my-wardrobe-app>api locallyIn an ideal world, this would be everything we would need for our REST API to get up and running (after amplify push , of course). But alas, such is not the case. This will create the REST API, but the Cognito user pool verification will not work unless we (a) manually change the Authorizer of each route in the AWS API Gateway console to a new custom one based on our Cognito user pool every time we update this API or (b) override the CloudFormation template to do this for us.
Obviously, we’ll go with (b). Fortunately, the override code is fairly simple. We need to tell Amplify that we’re adding override code to our API by running the following command and selecting our above-created REST API:
$ amplify override apiThis will create a file called override.ts in amplify/backend/api/<my-wardrobe-app>api/ . Enter there and copy over the following code, making sure to replace <your auth name here> on line 19 with the name of your project’s auth resource:
What this CDK override file does is create an Authorizer on all methods in our REST API based on the Cognito User Pool we have configured with our AWS Amplify project. (many thanks to @johnEthicalTechnology on GitHub for this great solution). With the REST API correctly overridden, we now have restricted user access to the API to only authorized users based on our Cognito User Pool. What’s more, the Authorization header it checks for is the Cognito JWT Token one of the form Authorization: Bearer XXXX , which is what we’ve set up our Lambda function to parse. So it’s finally time:
Push to Amplify! amplify push --yes
Assuming all goes well, you can now run the cascade deletion through the AWS Amplify Javascript API Library like so while logged in with a valid current session:
Note how we add the Authorization header to the request––this is very important in making sure the request passes through our Authorizer we added in the CloudFormation override.
That’s it! You now have a remote cascade deletion workflow that runs independent of your client. When a logged-in user sends a DELETE request to the API endpoint with their session’s ID JWT token as in line 13, the Lambda function uses correctly scoped GraphQL queries to delete all collateral entries in the table. We can also use the returned list of Clothe and Outfit ids to perform tag invalidation if we’re using some form of API caching library like RTK Query .
Hopefully this little series was helpful. I know I sure would have saved a lot of sweat and tears if knowledge on this had been a little bit easier to come by.
If you have any questions or implementation issues, feel free to shoot me an email at kirkilese@gmail.com!
