ModelRelationshipFieldFunctions<T, RM, K>: {
    authorization<AuthRuleType>(callback): ModelRelationshipField<T, "authorization" | K, K, AuthRuleType>;
    required(): ModelRelationshipField<SetTypeSubArg<T, "arrayRequired", true>, "required" | K, never, undefined>;
    valueRequired(): ModelRelationshipField<SetTypeSubArg<T, "valueRequired", true>, K | "valueRequired", never, undefined>;
}

Type Parameters

Type declaration

  • authorization:function
    • Configures field-level authorization rules. Pass in an array of authorizations (allow => allow.____) to mix and match multiple authorization rules for this field.

      Type Parameters

      Parameters

      • callback: ((allow) => AuthRuleType | AuthRuleType[])
          • (allow): AuthRuleType | AuthRuleType[]
          • Parameters

            • allow: {
                  authenticated: ((provider?) => Authorization<"private", undefined, false> & {
                      to: typeof to;
                  });
                  custom: ((provider?) => Authorization<"custom", undefined, false> & {
                      to: typeof to;
                  });
                  group: ((group, provider?) => Authorization<"groups", undefined, false> & {
                      to: typeof to;
                      withClaimIn: typeof withClaimIn;
                  });
                  groupDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, false> & {
                      to: typeof to;
                      withClaimIn: typeof withClaimIn;
                  });
                  groups: ((groups, provider?) => Authorization<"groups", undefined, false> & {
                      to: typeof to;
                      withClaimIn: typeof withClaimIn;
                  });
                  groupsDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, true> & {
                      to: typeof to;
                      withClaimIn: typeof withClaimIn;
                  });
                  guest: (() => Authorization<"public", undefined, false> & {
                      to: typeof to;
                  });
                  owner: ((provider?) => Authorization<"owner", "owner", false> & {
                      identityClaim: typeof identityClaim;
                      to: typeof to;
                  });
                  ownerDefinedIn: (<T>(ownerField, provider?) => Authorization<"owner", T, false> & {
                      identityClaim: typeof identityClaim;
                      to: typeof to;
                  });
                  ownersDefinedIn: (<T>(ownersField, provider?) => Authorization<"owner", T, true> & {
                      identityClaim: typeof identityClaim;
                      to: typeof to;
                  });
                  publicApiKey: (() => Authorization<"public", undefined, false> & {
                      to: typeof to;
                  });
                  resource: ((fn) => ResourceAuthorization & {
                      to: typeof resourceTo;
                  });
              }
              • Readonly authenticated: ((provider?) => Authorization<"private", undefined, false> & {
                    to: typeof to;
                })

                Authorize authenticated users. By default, .authenticated() uses an Amazon Cognito user pool based authorization. You can additionally use .authenticated("identityPool") or .authenticated("oidc") to use identityPool or OIDC based authorization for authenticated users.

                Param: provider

                the authentication provider - supports "userPools", "identityPool", or "oidc"

                Returns

                an authorization rule for authenticated users

                  • (provider?): Authorization<"private", undefined, false> & {
                        to: typeof to;
                    }
                  • Authorize authenticated users. By default, .authenticated() uses an Amazon Cognito user pool based authorization. You can additionally use .authenticated("identityPool") or .authenticated("oidc") to use identityPool or OIDC based authorization for authenticated users.

                    Parameters

                    • Optional provider: PrivateProvider

                      the authentication provider - supports "userPools", "identityPool", or "oidc"

                    Returns Authorization<"private", undefined, false> & {
                        to: typeof to;
                    }

                    an authorization rule for authenticated users

              • Readonly custom: ((provider?) => Authorization<"custom", undefined, false> & {
                    to: typeof to;
                })
              • Readonly group: ((group, provider?) => Authorization<"groups", undefined, false> & {
                    to: typeof to;
                    withClaimIn: typeof withClaimIn;
                })

                Authorize a specific user group. Provide the name of the specific user group to have access.

                By default, .group() uses an Amazon Cognito user pool based authorization. You can additionally use .group("group-name", "oidc") to use OIDC based authentication to designate the user group.

                To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

                Param: group

                the name of the group to authorize

                Param: provider

                the authentication provider - supports "userPools" or "oidc"

                Returns

                an authorization rule to grant access by a specific group

                  • (group, provider?): Authorization<"groups", undefined, false> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }
                  • Authorize a specific user group. Provide the name of the specific user group to have access.

                    By default, .group() uses an Amazon Cognito user pool based authorization. You can additionally use .group("group-name", "oidc") to use OIDC based authentication to designate the user group.

                    To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

                    Parameters

                    • group: string

                      the name of the group to authorize

                    • Optional provider: GroupProvider

                      the authentication provider - supports "userPools" or "oidc"

                    Returns Authorization<"groups", undefined, false> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }

                    an authorization rule to grant access by a specific group

              • Readonly groupDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, false> & {
                    to: typeof to;
                    withClaimIn: typeof withClaimIn;
                })

                Authorize if a user is part of a group defined in a data model field.

                By default, .groupDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

                To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

                Param: groupsField

                the field that should store the authorized user group information

                Param: provider

                the authentication provider - supports "userPools" or "oidc"

                Returns

                an authorization rule to grant access by a specific group

                  • <T>(groupsField, provider?): Authorization<"groups", T, false> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }
                  • Authorize if a user is part of a group defined in a data model field.

                    By default, .groupDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

                    To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

                    Type Parameters

                    • T extends string

                    Parameters

                    • groupsField: T

                      the field that should store the authorized user group information

                    • Optional provider: GroupProvider

                      the authentication provider - supports "userPools" or "oidc"

                    Returns Authorization<"groups", T, false> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }

                    an authorization rule to grant access by a specific group

              • Readonly groups: ((groups, provider?) => Authorization<"groups", undefined, false> & {
                    to: typeof to;
                    withClaimIn: typeof withClaimIn;
                })

                Authorize multiple specific user groups. Provide the names of the specific user groups to have access.

                By default, .groups() uses an Amazon Cognito user pool based authorization. You can additionally use .groups(["group-a", "group-b"], "oidc") to use OIDC based authentication to designate the user group.

                To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

                Param: groups

                the names of the group to authorize defined as an array

                Param: provider

                the authentication provider - supports "userPools" or "oidc"

                Returns

                an authorization rule to grant access by a specific group

                  • (groups, provider?): Authorization<"groups", undefined, false> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }
                  • Authorize multiple specific user groups. Provide the names of the specific user groups to have access.

                    By default, .groups() uses an Amazon Cognito user pool based authorization. You can additionally use .groups(["group-a", "group-b"], "oidc") to use OIDC based authentication to designate the user group.

                    To change the specific claim that should be used as the user group identifier, chain the .withClaimIn(...) method.

                    Parameters

                    • groups: string[]

                      the names of the group to authorize defined as an array

                    • Optional provider: GroupProvider

                      the authentication provider - supports "userPools" or "oidc"

                    Returns Authorization<"groups", undefined, false> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }

                    an authorization rule to grant access by a specific group

              • Readonly groupsDefinedIn: (<T>(groupsField, provider?) => Authorization<"groups", T, true> & {
                    to: typeof to;
                    withClaimIn: typeof withClaimIn;
                })

                Authorize if a user is part of a one of the groups defined in a data model field.

                By default, .groupsDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupsDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

                To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

                Param: groupsField

                the field that should store the list of authorized user groups

                Param: provider

                the authentication provider - supports "userPools" or "oidc"

                Returns

                an authorization rule to grant access by a specific group

                  • <T>(groupsField, provider?): Authorization<"groups", T, true> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }
                  • Authorize if a user is part of a one of the groups defined in a data model field.

                    By default, .groupsDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .groupsDefinedIn("field-name", "oidc") to use OIDC based authentication to designate the user group.

                    To change the specific claim that should be used as the user group identifier within the groups field, chain the .withClaimIn(...) method.

                    Type Parameters

                    • T extends string

                    Parameters

                    • groupsField: T

                      the field that should store the list of authorized user groups

                    • Optional provider: GroupProvider

                      the authentication provider - supports "userPools" or "oidc"

                    Returns Authorization<"groups", T, true> & {
                        to: typeof to;
                        withClaimIn: typeof withClaimIn;
                    }

                    an authorization rule to grant access by a specific group

              • Readonly guest: (() => Authorization<"public", undefined, false> & {
                    to: typeof to;
                })

                Authorize unauthenticated users by using IDENTITYPOOL based authorization.

                Returns

                an authorization rule for unauthenticated users

                  • (): Authorization<"public", undefined, false> & {
                        to: typeof to;
                    }
                  • Authorize unauthenticated users by using IDENTITYPOOL based authorization.

                    Returns Authorization<"public", undefined, false> & {
                        to: typeof to;
                    }

                    an authorization rule for unauthenticated users

              • Readonly owner: ((provider?) => Authorization<"owner", "owner", false> & {
                    identityClaim: typeof identityClaim;
                    to: typeof to;
                })

                Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new owner: a.string() field will be added to the model to store which user "owns" the item. Upon item creation, the "owner field" is auto-populated with the authenticated user's information. If you want to specify which field should be used as the owner field, you can use the ownerDefinedIn builder function instead.

                By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .owner("oidc") to use OIDC based authentication to designate the owner.

                To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

                Param: provider

                the authentication provider - supports "userPools", "identityPool", or "oidc"

                Returns

                an authorization rule for authenticated users

                  • (provider?): Authorization<"owner", "owner", false> & {
                        identityClaim: typeof identityClaim;
                        to: typeof to;
                    }
                  • Authorize access on a per-user (owner) basis. By setting owner-based authorization, a new owner: a.string() field will be added to the model to store which user "owns" the item. Upon item creation, the "owner field" is auto-populated with the authenticated user's information. If you want to specify which field should be used as the owner field, you can use the ownerDefinedIn builder function instead.

                    By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .owner("oidc") to use OIDC based authentication to designate the owner.

                    To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

                    Parameters

                    • Optional provider: OwnerProviders

                      the authentication provider - supports "userPools", "identityPool", or "oidc"

                    Returns Authorization<"owner", "owner", false> & {
                        identityClaim: typeof identityClaim;
                        to: typeof to;
                    }

                    an authorization rule for authenticated users

              • Readonly ownerDefinedIn: (<T>(ownerField, provider?) => Authorization<"owner", T, false> & {
                    identityClaim: typeof identityClaim;
                    to: typeof to;
                })

                Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.

                By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .ownerDefinedIn("owner", "oidc") to use OIDC based authentication to designate the owner.

                To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

                Param: ownerField

                the field that contains the owner information

                Param: provider

                the authentication provider - supports "userPools", "identityPool", or "oidc"

                Returns

                an authorization rule for authenticated users

                  • <T>(ownerField, provider?): Authorization<"owner", T, false> & {
                        identityClaim: typeof identityClaim;
                        to: typeof to;
                    }
                  • Authorize access on a per-user (owner) basis with specifying which field should be used as the owner field.

                    By default, .owner() uses an Amazon Cognito user pool based authorization. You can additionally use .ownerDefinedIn("owner", "oidc") to use OIDC based authentication to designate the owner.

                    To change the specific claim that should be used as the user identifier within the owner field, chain the .identityClaim(...) method.

                    Type Parameters

                    • T extends string

                    Parameters

                    • ownerField: T

                      the field that contains the owner information

                    • Optional provider: OwnerProviders

                      the authentication provider - supports "userPools", "identityPool", or "oidc"

                    Returns Authorization<"owner", T, false> & {
                        identityClaim: typeof identityClaim;
                        to: typeof to;
                    }

                    an authorization rule for authenticated users

              • Readonly ownersDefinedIn: (<T>(ownersField, provider?) => Authorization<"owner", T, true> & {
                    identityClaim: typeof identityClaim;
                    to: typeof to;
                })

                Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new owners: a.string().array() field will be added to the model to store which users "own" the item. Upon item creation, the "owners field" is auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the owners array.

                You can specify which field should be used as the owners field by passing the ownersField parameter.

                By default, .ownersDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .ownersDefinedIn("owners", "oidc") to use OIDC based authentication to designate the owner.

                To change the specific claim that should be used as the user identifier within the owners field, chain the .identityClaim(...) method.

                Param: ownersField

                the field that contains the owners information

                Param: provider

                the authentication provider - supports "userPools", "identityPool", or "oidc"

                Returns

                an authorization rule for authenticated users

                  • <T>(ownersField, provider?): Authorization<"owner", T, true> & {
                        identityClaim: typeof identityClaim;
                        to: typeof to;
                    }
                  • Authorize access for multi-user / multi-owner access. By setting multi-owner-based authorization, a new owners: a.string().array() field will be added to the model to store which users "own" the item. Upon item creation, the "owners field" is auto-populated with the authenticated user's information. To grant other users access to the item, append their user identifier into the owners array.

                    You can specify which field should be used as the owners field by passing the ownersField parameter.

                    By default, .ownersDefinedIn() uses an Amazon Cognito user pool based authorization. You can additionally use .ownersDefinedIn("owners", "oidc") to use OIDC based authentication to designate the owner.

                    To change the specific claim that should be used as the user identifier within the owners field, chain the .identityClaim(...) method.

                    Type Parameters

                    • T extends string

                    Parameters

                    • ownersField: T

                      the field that contains the owners information

                    • Optional provider: OwnerProviders

                      the authentication provider - supports "userPools", "identityPool", or "oidc"

                    Returns Authorization<"owner", T, true> & {
                        identityClaim: typeof identityClaim;
                        to: typeof to;
                    }

                    an authorization rule for authenticated users

              • Readonly publicApiKey: (() => Authorization<"public", undefined, false> & {
                    to: typeof to;
                })

                Authorize unauthenticated users by using API key based authorization.

                Returns

                an authorization rule for unauthenticated users

                  • (): Authorization<"public", undefined, false> & {
                        to: typeof to;
                    }
                  • Authorize unauthenticated users by using API key based authorization.

                    Returns Authorization<"public", undefined, false> & {
                        to: typeof to;
                    }

                    an authorization rule for unauthenticated users

              • Readonly resource: ((fn) => ResourceAuthorization & {
                    to: typeof resourceTo;
                })

            Returns AuthRuleType | AuthRuleType[]

      Returns ModelRelationshipField<T, "authorization" | K, K, AuthRuleType>

  • required:function
  • valueRequired:function