Hi current I use Apollo server to create handler for lambda and test the requester obj to see if it is authorized or not to ensure mutations can only be made by signed-in users. But I am wondering if there is any better approach?
e.g. create 2 functions, one is GET for query, accessible to unauthorized iam role, and the other is POST for mutations which is only accessible to authorized role?
// serverless.yml
functions:
query:
handler: lib/handler.main
events:
- http:
path: graphql
method: post
cors: true
authorizer: aws_iam
// handler.ts
const server = new ApolloServer({
typeDefs,
resolvers,
introspection: true,
context: ({ event, context }) => ({
requester: authenticated(event) ? getRequesterSub(event) : null
})
});
export const main = server.createHandler({
cors: {
origin: '*',
credentials: true
}
});