@@ -19,6 +19,7 @@ and authorizing requests with API key, IAM, Lambda authorizer, Cognito User Pool
1919 - [ API key] ( #api-key )
2020 - [ IAM] ( #iam )
2121 - [ Token-based authorization] ( #token-based-authorization )
22+ - [ Authorizers] ( #authorizers )
2223- [ Publishing events] ( #publishing-events )
2324- [ Subscribing to events] ( #subscribing-to-events )
2425- [ Closing resources] ( #closing-resources )
@@ -109,7 +110,7 @@ func publish(ctx context.Context) error {
109110 client , err := appsync.Connect (ctx, appsync.ConnectionOptions {
110111 Endpoint: wsEndpoint,
111112 Subprotocols: []string {appsync.ProtocolEvents },
112- Authorizer : authz,
113+ Authorizers : appsync. Authorizers {Default: authz} ,
113114 })
114115 if err != nil {
115116 return err
@@ -197,6 +198,75 @@ authz, err := authorizer.Token(authorizer.TokenAuthorizerConfig{
197198})
198199```
199200
201+ ## Authorizers
202+
203+ ` ConnectionOptions.Authorizers ` controls which authorizer is used for each operation type.
204+
205+ ``` go
206+ type Authorizers struct {
207+ Default authorizer.Authorizer
208+ Connect authorizer.Authorizer
209+ Publish authorizer.Authorizer
210+ Subscribe authorizer.Authorizer
211+ }
212+ ```
213+
214+ Fallback resolution: if a specific field (` Connect ` , ` Publish ` , or ` Subscribe ` ) is ` nil ` , ` Default ` is used.
215+
216+ ** Single authorizer for all operations (most common):**
217+
218+ ``` go
219+ client , err := appsync.Connect (ctx, appsync.ConnectionOptions {
220+ Endpoint : wsEndpoint,
221+ Subprotocols : []string {appsync.ProtocolEvents },
222+ Authorizers : appsync.Authorizers {Default: authz},
223+ })
224+ ```
225+
226+ ** Different authorizers per operation:**
227+
228+ ``` go
229+ client , err := appsync.Connect (ctx, appsync.ConnectionOptions {
230+ Endpoint : wsEndpoint,
231+ Subprotocols : []string {appsync.ProtocolEvents },
232+ Authorizers : appsync.Authorizers {
233+ Connect: connectAuthz,
234+ Publish: publishAuthz,
235+ Subscribe: subscribeAuthz,
236+ },
237+ })
238+ ```
239+
240+ ** Subscribe-only or publish-only clients:**
241+
242+ Authorizers for ` Publish ` and ` Subscribe ` are resolved at the point of use. If an operation is never called, its authorizer never needs to be configured. This makes it possible to follow the principle of least privilege by omitting ` Default ` and only configuring the authorizer for the operations the client actually uses.
243+
244+ Subscribe-only client — no publish authorizer configured:
245+
246+ ``` go
247+ client , err := appsync.Connect (ctx, appsync.ConnectionOptions {
248+ Endpoint : wsEndpoint,
249+ Subprotocols : []string {appsync.ProtocolEvents },
250+ Authorizers : appsync.Authorizers {
251+ Connect: connectAuthz,
252+ Subscribe: subscribeAuthz,
253+ },
254+ })
255+ ```
256+
257+ Publish-only client — no subscribe authorizer configured:
258+
259+ ``` go
260+ client , err := appsync.Connect (ctx, appsync.ConnectionOptions {
261+ Endpoint : wsEndpoint,
262+ Subprotocols : []string {appsync.ProtocolEvents },
263+ Authorizers : appsync.Authorizers {
264+ Connect: connectAuthz,
265+ Publish: publishAuthz,
266+ },
267+ })
268+ ```
269+
200270## Publishing events
201271
202272` Publish ` sends a payload to a channel.
@@ -216,6 +286,16 @@ if err != nil {
216286` Payload ` is a raw byte slice. The library does not require a Go struct, but AppSync event payloads are commonly JSON.
217287If you want structured data, marshal it before publishing.
218288
289+ The optional ` Authorizer ` field overrides ` Authorizers.Publish ` for a single call:
290+
291+ ``` go
292+ err := client.Publish (ctx, appsync.PublishCommandInput {
293+ Channel : " default/notifications" ,
294+ Payload : payload,
295+ Authorizer : perRequestAuthz,
296+ })
297+ ```
298+
219299## Subscribing to events
220300
221301Use ` Subscribe ` to create a channel subscription.
@@ -230,6 +310,15 @@ if err != nil {
230310defer sub.Close (context.Background ())
231311```
232312
313+ The optional ` Authorizer ` field overrides ` Authorizers.Subscribe ` for a single call:
314+
315+ ``` go
316+ sub , err := client.Subscribe (ctx, appsync.SubscribeCommandInput {
317+ Channel : " default/notifications" ,
318+ Authorizer : perRequestAuthz,
319+ })
320+ ```
321+
233322Read event messages with ` Next ` :
234323
235324``` go
@@ -371,7 +460,7 @@ if err != nil {
371460client , err := appsync.Connect (ctx, appsync.ConnectionOptions {
372461 Endpoint : wsEndpoint,
373462 Subprotocols : []string {appsync.ProtocolEvents },
374- Authorizer : authz,
463+ Authorizers : appsync. Authorizers {Default: authz} ,
375464})
376465```
377466
@@ -408,7 +497,7 @@ For connection and unsubscribe calls, `input.Channel` is empty and `input.Payloa
408497client , err := appsync.Connect (ctx, appsync.ConnectionOptions {
409498 Endpoint : wsEndpoint,
410499 Subprotocols : []string {appsync.ProtocolEvents },
411- Authorizer : authz,
500+ Authorizers : appsync. Authorizers {Default: authz} ,
412501 Backpressure : appsync.Backpressure {
413502 ConnectionInbound: 100 ,
414503 ConnectionOutbound: 100 ,
@@ -481,14 +570,7 @@ Runnable examples are available in:
481570- [ ` examples/iam ` ] ( examples/iam )
482571- [ ` examples/token ` ] ( examples/token )
483572- [ ` examples/custom-authorizer ` ] ( examples/custom-authorizer )
484-
485- ## Limitations
486-
487- A ` Client ` uses one authorizer for the entire connection lifecycle.
488-
489- The same authorizer is used to establish the WebSocket connection and to authorize
490- ` subscribe ` , ` publish ` , and ` unsubscribe ` messages. Using different authorizers for
491- connection setup and individual operation messages is not currently supported.
573+ - [ ` examples/multi-authorizer ` ] ( examples/multi-authorizer )
492574
493575## Tips
494576
@@ -525,7 +607,6 @@ in the future for some reason.
525607
526608Missing features:
527609
528- - authorizer per request
529610- HTTP Publish
530611- Batch Publish
531612- something else I missed probably
0 commit comments