Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amplify Gen 2 Data field-level authentication disables create on key field #3818

Closed
2 tasks done
concavegit opened this issue May 31, 2024 · 11 comments
Closed
2 tasks done

Amplify Gen 2 Data field-level authentication disables create on key field #3818

concavegit opened this issue May 31, 2024 · 11 comments
Labels
question General question

Comments

@concavegit
Copy link

How did you install the Amplify CLI?

NPM

If applicable, what version of Node.js are you using?

v22.1.0

Amplify CLI Version

1.0.3

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes, but I added TTL following the official documentation.

Describe the bug

I have a schema like this:

const schema = a.schema({
  MyModel: a.model({
    // Allow someone to read but not create this field
    myFirstField: a.string().authorization((allow) => allow.owner().to(["read"])),
    // An internal process sets this field, so the owner should not have access to this
    mySecondField: a.string().authorization((_) -> []),
    // This field should have the default create and read permissions
    myThirdField: a.string()
}).authorization((allow) => [allow.owner().to(["create", "read"])]);

If I create this query in Swift

let myModel = MyModel(myThirdField: "x")
let result = try await Amplify.API.mutate(
    request: .create(
        scanProcessingWorkflow,
        authMode: .amazonCognitoUserPools
    )
)

Then I get this error

Unauthorized on [id]

Expected behavior

I expect to create operation so succeed.

Reproduction steps

  1. Set up a table like
const schema = a.schema({
  MyModel: a.model({
    // Allow someone to read but not create this field
    myFirstField: a.string().authorization((allow) => allow.owner().to(["read"])),
    // An internal process sets this field, so the owner should not have access to this
    mySecondField: a.string().authorization((_) -> []),
    // This field should have the default create and read permissions
    myThirdField: a.string()
}).authorization((allow) => [allow.owner().to(["create", "read"])]);
  1. Try to create a record with just myThirdField like
let myModel = MyModel(myThirdField: "x")
let result = try await Amplify.API.mutate(
    request: .create(
        scanProcessingWorkflow,
        authMode: .amazonCognitoUserPools
    )
)
  1. You should get a error `Unauthorized on [id]
  2. Workaround: Remove the field-level authorization on myFirstField
  3. Because Sandbox hot swap deployments won't update the backend correctly, create a destructive deployment by replacing the model-level authorization with allow.publicApiKey() and wait for the deployment to succeed. Then revert the model-level authorization and wait for that deployment to succeed.
  4. Run step 2 again and the record creates successfully.

Project Identifier

No response

Log output

No response

Additional information

This is similar to aws-amplify/amplify-category-api#1714 which was fixed, but now this is for Amplify Gen 2.

Before submitting, please confirm:

  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.
@concavegit concavegit added the pending-triage Issue is pending triage label May 31, 2024
@AnilMaktala
Copy link
Member

Hey @concavegit, Thanks for raising this. We have followup question, can you please verify this in AppSync console and let us know the results.

@AnilMaktala AnilMaktala added the question General question label May 31, 2024
@concavegit
Copy link
Author

Hello @AnilMaktala , I found that the AppSync console works as expected. The issue seems to be with the Swift query. I've verified with a debugger that the result below contains the error I have in the description, so I don't think it is due to code I manually created.

let result = try await Amplify.API.mutate(
    request: .create(
        scanProcessingWorkflow,
        authMode: .amazonCognitoUserPools
    )
)

@AnilMaktala AnilMaktala self-assigned this Jun 3, 2024
@concavegit
Copy link
Author

Hello, just checking if there are any updates

@AnilMaktala
Copy link
Member

Hey @concavegit , Sorry for the delay, and thanks for the confirmation. Does this model have an id field? If not, can you try adding the id field to the model?

@concavegit
Copy link
Author

Hello Anil, yes the model has an id field in DynamoDB. I don't define it in code, Amplify adds it automatically.

@concavegit
Copy link
Author

Hello, @AnilMaktala, just checking on this

@AnilMaktala AnilMaktala transferred this issue from aws-amplify/amplify-category-api Aug 16, 2024
@github-actions github-actions bot added the pending-maintainer-response Issue is pending response from an Amplify team member label Aug 16, 2024
@lawmicha
Copy link
Member

Hi @concavegit, for the API call

let result = try await Amplify.API.mutate(
    request: .create(
        scanProcessingWorkflow,
        authMode: .amazonCognitoUserPools
    )
)

When using runtime auth mode, this will use Amplify.Auth to retrieve the cognito access token to add to the request. Can you confirm the following?

  1. Added the AWSCognitoAuthPlugin during configuration of the app
  2. User has signed into the app before making the API call

If you need more assisistance, please provide the entire log with verbose logging enabled (Amplify.Logging.logLevel = .verbose) when the API call is made.

@github-actions github-actions bot removed the pending-maintainer-response Issue is pending response from an Amplify team member label Aug 19, 2024
@lawmicha
Copy link
Member

Also, .create API that takes in a model instance and returns the GraphQLRequest will add all the fields to the selection set of the document. This may be what's biting you. If you can show us the request being sent to AppSync, it can also be replayed on the AppSync console to verify the same response. A workaround would be to create your own GraphQLRequest that matches the one you performed successfully through the AppSync console

@ipodishima
Copy link

I have the same issue. What I did to fix it was to add the id field into the TypeScript file description of the model

@github-actions github-actions bot added the pending-maintainer-response Issue is pending response from an Amplify team member label Sep 12, 2024
@vincetran
Copy link
Member

Thanks for your input, @ipodishima! At this point a few people have provided some possible solutions and it's been a month without follow up from OP so will close this. If you're still running into issues, feel free to reopen.

@github-actions github-actions bot removed pending-triage Issue is pending triage pending-maintainer-response Issue is pending response from an Amplify team member labels Sep 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question General question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vincetran @ipodishima @lawmicha @AnilMaktala @concavegit