Skip to content

feat(auth): add inGroup() method for owner authorization #643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cheruvian wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(auth): add inGroup() method for owner authorization #643

cheruvian wants to merge 1 commit into from

Conversation

@cheruvian
Copy link

@cheruvian cheruvian commented Dec 19, 2025

Problem

Currently, owner-based authorization and group-based authorization are separate strategies that work with OR logic. There's no way to require that a user must be both the owner AND a member of a specific group to access a resource (AND logic).

Issue number, if available: aws-amplify/amplify-category-api#3381

Changes

Add inGroup() method to owner authorization rules that allows requiring group membership in addition to owner matching:

  • Add inGroup(...groups: string[]) method to owner(), ownerDefinedIn(), and ownersDefinedIn()
  • Groups specified via inGroup() are passed to the transformer via the groups field on owner rules
  • The transformer interprets groups on an owner rule as AND logic (must be owner AND in group)

Example usage:

.authorization((allow) => allow.owner().inGroup('AdminGroup'))

Corresponding docs PR, if applicable: TBD

Validation

  • Added comprehensive unit tests for inGroup() with various combinations (552 tests passed)
  • Snapshot tests verify correct GraphQL schema output with groups on owner rules
  • Tests cover: single group, multiple groups, chaining with operations/identityClaim, different owner field definitions

Checklist

  • If this PR includes a functional change to the runtime or type-level behavior of the code, I have added or updated automated test coverage for this change.
  • If this PR requires a docs update, I have linked to that docs PR above.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@cheruvian @claude
feat(auth): add inGroup() method for owner authorization
c99ebac 
Add support for requiring group membership with owner-based auth rules.
The new `owner().inGroup()` API allows defining authorization rules where
users must be both the owner AND a member of specified groups.

- Add `inGroup()` method to owner, ownerDefinedIn, and ownersDefinedIn
- Groups specified via inGroup() are passed to the transformer for AND logic
- Add comprehensive tests for inGroup() with various combinations

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@cheruvian cheruvian requested a review from a team as a code owner December 19, 2025 05:30
@changeset-bot
Copy link

changeset-bot bot commented Dec 19, 2025

🦋 Changeset detected

Latest commit: c99ebac

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@aws-amplify/data-schema Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cheruvian