AWS AppSync executes operations on a GraphQL field using resolvers that consist of a request & a response mapping template. Many times applications require executing multiple operations (many times with multiple data sources) to resolve a single GraphQL field. In the past, this was only possible by implementing a Lambda function as the resolver which was not an ideal workflow for many use cases.

With pipeline resolvers, developers can now compose multiple operations (functions) and execute them in sequence against multiple data sources. Pipeline resolvers are useful for applications that, for instance, require performing an authorization check before fetching data for a field.

Pipeline resolvers act very similarly to a standard AppSync resolver, the only difference is we are able to encapsulate the functionality into a function that we can then plug in where needed & can also be reused.

Overview

In this tutorial, you’ll learn how to build a secure AWS AppSync API that implements user authorization by taking advantage of Pipeline Resolvers.

The access pattern we’ll be implementing will look like this:

There are two data sources: one database storing user profiles (including a row specifying permissions like admin for each user) & another database storing blog posts from the users.

The execution for querying for protected posts will look like this:

User queries for data. The resolver will pass the query onto the first pipeline function In the request mapping template of the first pipeline function, we check to see if the data that the user is querying for belongs to them.

If the data does belong to them, we return from the first pipeline function & execute the next pipeline function because we know that the user should be able to query for their own data. If the data does belong to them, we query their profile from the database (in the next step we’ll be using the user’s profile data to see their role level) & pass the results of the DB query to the response. In the response mapping template, we check the user’s profile to see if they are an admin. If they are an admin, we allow the query to continue to execute into the next pipeline function. If they are not an admin, we throw an error message that the “User is not authorized to make this query” & stop the execution. In the second pipeline function, we query the data from the database in the request. In the response mapping template we return the list of posts from the database.

Getting Started

Because we’re implementing a real-world authentication use-case, we’ll be setting the the authorization type of the AppSync API to Cognito User Pool & creating a Cognito User Pool for this project. If you already have a Cognito User Pool set up either through the AWS Console or the AWS Amplify CLI, you can skip this step.

Creating a Cognito User Pool

We’ll first create a Cognito User pool by visiting the AWS Console & searching for Cognito. Here, we’ll click on Manage User Pools & then click Create a user pool.

In this screen, we can accept the default configuration by giving the user pool a name, clicking on Review defaults, then clicking on Create pool.