How to restricted to access AWS API Gateway endpoint by Cognito user id
Question
I am trying to implement an e-commerce application backend by using AWS Cognito, Api-Gateway, and Lambda.
To create a new Item, users must be logged in. Once created the item, the Logged used will be the creator of the item. I already created an Item-create endpoint and added the Cognito-JWT authorizer for the Apigateway endpoint.
Now I need to implement Item-update endpoint. The relevant Item update must be allowed only for the creator of the Item. API maybe like this.
/items/{item-id} PUT
body : { title, price... }
header { Authorization: Cognito-JWT-Token }
What is the best way to implement this kind of feature using the AWS ecosystem. Or any best practices to implement this kind of feature.
1 answers
solution1
0 2021-05-03 13:54:46
You would create a property owner for each item that is a user ID. Normally you'd use the sub claim from the token which is a unique ID. However, for various reasons, I wouldn't recommend using the subject value with cognito. You can use email just ensure safeguards are in place if someone deletes their account and a new one is created with the same email.
Whatever you choose, in your handler compare the owner with the validated token claim. Allow if they match, disallow if they don't.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.