Skip to content

feat(graphql-auth-transformer): implement owner.inGroup() AND logic authorization#3382

Open
cheruvian wants to merge 1 commit intoaws-amplify:mainfrom
cheruvian:feat/owner-in-group
Open

feat(graphql-auth-transformer): implement owner.inGroup() AND logic authorization#3382
cheruvian wants to merge 1 commit intoaws-amplify:mainfrom
cheruvian:feat/owner-in-group

Conversation

@cheruvian
Copy link

@cheruvian cheruvian commented Dec 19, 2025

Description of changes

Add transformer support for owner.inGroup() authorization rules that require both owner matching AND group membership. When an owner rule has static groups defined via inGroup(), the generated VTL resolvers enforce that users must match the owner field AND be a member of one of the specified groups.

Key changes:

  • Add operationGroups and groupClaim to RoleDefinition for tracking AND requirements
  • Generate VTL that checks cognito:groups claim alongside owner validation
  • Support operation-specific group requirements via inGroup()
  • Add validation to block owner.inGroup() for SQL data sources (not supported)
CDK / CloudFormation Parameters Changed

None - this change affects VTL resolver generation only.

Issue #, if available

Closes #3381

Description of how you validated changes

  • Added comprehensive unit tests for owner auth with group requirements
  • Snapshot tests updated to verify correct GraphQL schema generation
  • yarn test passes (4897 tests passed in auth-transformer package)

Checklist

  • PR description included
  • yarn test passes
  • E2E test run linked
  • Tests are changed or added
  • Relevant documentation is changed or added (and PR referenced)
  • New AWS SDK calls or CloudFormation actions have been added to relevant test and service IAM policies
  • Any CDK or CloudFormation parameter changes are called out explicitly

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@cheruvian @claude
feat(graphql-auth-transformer): implement owner.inGroup() AND logic a…
e6e8eaa 
…uthorization

Add transformer support for owner-based auth rules that require group membership.
When an owner rule has static groups defined, the generated VTL resolvers enforce
that users must match the owner field AND be in one of the specified groups.

- Add operationGroups and groupClaim to RoleDefinition for tracking AND requirements
- Generate VTL that checks cognito:groups claim alongside owner validation
- Support operation-specific group requirements via inGroup()
- Add validation to block owner.inGroup() for SQL data sources (not supported)
- Add comprehensive unit tests for owner auth with group requirements

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cheruvian cheruvian requested a review from a team as a code owner December 19, 2025 05:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Add owner.inGroup() for AND logic authorization (owner + group membership)

1 participant

@cheruvian