I have implemented an AWS Lambda authorization layer for my GraphQL queries and mutations, such that a user may only read/write data to a particular DynamoDB table item iff they are a member of the group that the item belongs to, implemented using a groupId partition key and a sort key of itemId. So that the table can have many itemIds with a common groupId, and also many different groupIds. This all works as expected.
Now I would like to be able to extend this group authorization to my real time GraphQL subscriptions. I observe that unparameterized subscriptions broadcast to all users. I need a solution that constrains the subscription events such that all group members and only group members receive the subscription event for mutations on table data containing the corresponding groupID key. A user, being a member of many groups, will receive subscription events for all groups that they are a member of.
The groups and group members are dynamic, with groups being created and members being added by application business logic.
I observe a multitude of AWS authorization techniques, static and dynamic. I have seen examples of parameterized subscriptions and subscription resolvers that target subscribing only to one item, but nothing that I can see that fits my particular 'multi-group' need.
I am using AWS Amplify API for client GraphQL calls. I observe Apollo has a subscribeToMore() that might be helpful for this scenario, but I presently prefer to stay away from the rework required for me to fit my UI into Apollo 2's Render Props pattern.
Any thoughts?
