So I am working on some lambda mutations to add some data safety. But I feel like I am lacking some know how on how to actually properly protect a mutation in graphql when just a @auth directive seems like not enough.
So to quickly sketch the situation.
There is for example a post type which has a createdDate and that createdDate should not be decided on the client, but from the server it self. So the user should not call addPost which is a mutation generated by draph automatically.
Instead the clien should call a mutation “addNewUserPost” which is attached to a lambda.
Which autofills the createdDate.
But I wanna avoid using DQL and just call the “addPost” graphql mutation instead so any @hasInverse gets properly triggered.
Which works amazingly except that a “malicious” user could still call addPost in the client it self.
So I actually only want to ever allow usage of “addPost” from inside a lambda call and not from anywhere outside of that scope.
How can this be resolved if it’s actually possible?