Authorization

Overview

Authorization determines what authenticated users can access and modify.

Authorization Layers

1. API Gateway Authorizer

Purpose: Validate API keys before Lambda execution

Implementation:

  • Lambda authorizer function

  • Validates Bearer token

  • Returns IAM policy

  • Includes user context

Flow:

Request → API Gateway → Authorizer → Lambda Function

2. Service-Level Authorization

Purpose: Validate resource ownership

Implementation:

  • Services check user ownership

  • Environment validation

  • Permission checks

Resource Ownership

Forms

  • Forms belong to users (userId)

  • Users can only access their own forms

  • Environment validation ensures isolation

Submissions

  • Submissions belong to form owners

  • Access controlled via form ownership

  • Environment-scoped queries

API Keys

  • Keys belong to users

  • Users can only manage their own keys

  • Environment-scoped keys

Authorization Checks

Form Access

// Service checks ownership
if (form.userId !== userId) {
  throw new Error('Forbidden: You do not have permission');
}

// Environment validation
if (environment && form.environment !== environment) {
  throw new Error('Forbidden: Form not found in environment');
}

API Key Validation

// Authorizer validates key
const key = await lookupKey(apiKey);
if (!key || key.userId !== userId) {
  return generatePolicy('Deny', resource);
}

Environment Isolation

Data Isolation

  • All data scoped by user and environment

  • Partition keys include environment

  • Queries filtered by environment

API Key Scoping

  • Keys are environment-specific

  • Cannot access other environments

  • Environment in key record

Permission Model

Current Model

  • Owner: Full access to own resources

  • No Sharing: Resources not shared between users

  • Environment Isolation: Complete isolation per environment

Future Enhancements

  • Organization-level sharing

  • Role-based access control

  • Team permissions

Error Responses

401 Unauthorized

  • Missing or invalid authentication

  • Token expired

  • Invalid API key

403 Forbidden

  • Authenticated but no permission

  • Wrong environment

  • Not resource owner

Next Steps

  • Security - Security overview

  • Data Protection - Encryption and PII

  • Best Practices - Security recommendations

PreviousAuthenticationNextSecurity Best Practices

Last updated