Closed rezab777 closed 6 months ago
Hey @rezab777, Thank you for reporting this issue. Please try the instructions provided below and inform us if they successfully resolve the issue you are facing,
Thank you @AnilMaktala . The solution you suggested fixed the issue with pushing the resolvers to the cloud .
I am still seeing an error when starting a subscription though. Here's the error:
Error: {
"errors": [
{
"message": "Connection failed: AuthorizerFailureException"
}
]
}
at Object.error (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4940409)
at b (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4369146)
at A (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4369603)
at e.value (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4370220)
at Gh.<anonymous> (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4928467)
at Generator.throw (<anonymous>)
at s (https://a.b.cdn.console.awsstatic.com/a/v1/UUEPSESYMZITODOR7COQDRMIBJCTVRNH7OA3IVA3TZXO2F6Y5FZQ/main.js:2:4925355)
If this is not helpful, please let me know if I can provide more info .
Thanks
Hey @rezab777, Sorry for the delay. Would it be possible for you to share the Subscription.onCreateCustomer.auth.1.req.vtl file with us?
Hi @AnilMaktala Sure please find below;
## [Start] Authorization Steps. **
$util.qr($ctx.stash.put("hasAuth", true))
#set( $isAuthorized = false )
## BEGIN LAMBDA AUTHORIZATION
#if( $util.authType() == "Lambda Authorization" )
#if( !$isAuthorized )
#set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"Admin"}] )
#foreach( $groupRole in $staticGroupRoles )
#set( $groupsInToken = $util.defaultIfNull($ctx.identity.resolverContext.get($groupRole.claim).split(","), []) )
#if( $groupsInToken.contains($groupRole.entity) )
#set( $isAuthorized = true )
#break
#end
#end
#end
#set( $hasValidOwnerArgument = false )
#set( $authRuntimeFilter = [] )
#set( $authOwnerRuntimeFilter = [] )
#set( $authGroupRuntimeFilter = [] )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.resolverContext.owner, null) )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.resolverContext.username, $util.defaultIfNull($ctx.identity.resolverContext.get("cognito:username"), null)) )
#if( !$util.isNull($ownerClaim0) && !$util.isNull($currentClaim1) )
#set( $ownerClaim0 = "$ownerClaim0::$currentClaim1" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.resolverContext.owner, null)))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.resolverContext.username, $util.defaultIfNull($ctx.identity.resolverContext.get("cognito:username"), null))))
$util.qr($authOwnerRuntimeFilter.add({ "owner": { "eq": $currentClaim1 } }))
#set( $ownerEntity0 = $util.defaultIfNull($ctx.args.owner, null) )
#if( !$isAuthorized && !$util.isNullOrEmpty($ownerEntity0) )
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#set( $hasValidOwnerArgument = true )
#else
$util.unauthorized()
#end
#end
#end
## Apply dynamic roles auth if not previously authorized by static groups and owner argument **
#if( $authOwnerRuntimeFilter.size() > 0 )
$util.qr($authRuntimeFilter.addAll($authOwnerRuntimeFilter))
#end
#if( $authGroupRuntimeFilter.size() > 0 )
$util.qr($authRuntimeFilter.addAll($authGroupRuntimeFilter))
#end
#set( $filterArgsSize = 0 )
#if( !$util.isNullOrEmpty($ctx.args.filter) )
#set( $filterArgsSize = $ctx.args.filter.size() )
#end
#set( $isOwnerAuthAuthorizedAndNoOtherFilters = $hasValidOwnerArgument && $authRuntimeFilter.size() == 1 && $filterArgsSize == 0 )
#set( $isOwnerOrDynamicAuthAuthorizedWithFilters = (!$isAuthorized || $hasValidOwnerArgument) && $authRuntimeFilter.size() > 0 )
#if( !$isOwnerAuthAuthorizedAndNoOtherFilters && $isOwnerOrDynamicAuthAuthorizedWithFilters )
#if( $util.isNullOrEmpty($ctx.args.filter) )
#set( $ctx.args.filter = { "or": $authRuntimeFilter } )
#else
#set( $ctx.args.filter = { "and": [ { "or": $authRuntimeFilter }, $ctx.args.filter ]} )
#end
#set( $isAuthorized = true )
#end
#end
## END LAMBDA AUTHORIZATION
#if( $util.authType() == "IAM Authorization" )
#set( $adminRoles = ["example-role-1", "example-role-2"] )
#foreach( $adminRole in $adminRoles )
#if( $ctx.identity.userArn.contains($adminRole) && $ctx.identity.userArn != $ctx.stash.authRole && $ctx.identity.userArn != $ctx.stash.unauthRole )
#return($util.toJson({}))
#end
#end
#if( !$isAuthorized )
#if( $ctx.identity.userArn == $ctx.stash.unauthRole )
#set( $isAuthorized = true )
#end
#end
#end
#if( $util.authType() == "User Pool Authorization" )
#if( !$isAuthorized )
#set( $staticGroupRoles = [{"claim":"cognito:groups","entity":"Admin"}] )
#foreach( $groupRole in $staticGroupRoles )
#set( $groupsInToken = $util.defaultIfNull($ctx.identity.claims.get($groupRole.claim), []) )
#if( $groupsInToken.contains($groupRole.entity) )
#set( $isAuthorized = true )
#break
#end
#end
#end
#set( $hasValidOwnerArgument = false )
#set( $authRuntimeFilter = [] )
#set( $authOwnerRuntimeFilter = [] )
#set( $authGroupRuntimeFilter = [] )
#set( $ownerClaim0 = $util.defaultIfNull($ctx.identity.claims.get("sub"), null) )
#set( $currentClaim1 = $util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), null)) )
#if( !$util.isNull($ownerClaim0) && !$util.isNull($currentClaim1) )
#set( $ownerClaim0 = "$ownerClaim0::$currentClaim1" )
#set( $ownerClaimsList0 = [] )
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("sub"), null)))
$util.qr($ownerClaimsList0.add($util.defaultIfNull($ctx.identity.claims.get("username"), $util.defaultIfNull($ctx.identity.claims.get("cognito:username"), null))))
$util.qr($authOwnerRuntimeFilter.add({ "owner": { "eq": $currentClaim1 } }))
#set( $ownerEntity0 = $util.defaultIfNull($ctx.args.owner, null) )
#if( !$isAuthorized && !$util.isNullOrEmpty($ownerEntity0) )
#if( $ownerEntity0 == $ownerClaim0 || $ownerClaimsList0.contains($ownerEntity0) )
#set( $isAuthorized = true )
#set( $hasValidOwnerArgument = true )
#else
$util.unauthorized()
#end
#end
#end
## Apply dynamic roles auth if not previously authorized by static groups and owner argument **
#if( $authOwnerRuntimeFilter.size() > 0 )
$util.qr($authRuntimeFilter.addAll($authOwnerRuntimeFilter))
#end
#if( $authGroupRuntimeFilter.size() > 0 )
$util.qr($authRuntimeFilter.addAll($authGroupRuntimeFilter))
#end
#set( $filterArgsSize = 0 )
#if( !$util.isNullOrEmpty($ctx.args.filter) )
#set( $filterArgsSize = $ctx.args.filter.size() )
#end
#set( $isOwnerAuthAuthorizedAndNoOtherFilters = $hasValidOwnerArgument && $authRuntimeFilter.size() == 1 && $filterArgsSize == 0 )
#set( $isOwnerOrDynamicAuthAuthorizedWithFilters = (!$isAuthorized || $hasValidOwnerArgument) && $authRuntimeFilter.size() > 0 )
#if( !$isOwnerAuthAuthorizedAndNoOtherFilters && $isOwnerOrDynamicAuthAuthorizedWithFilters )
#if( $util.isNullOrEmpty($ctx.args.filter) )
#set( $ctx.args.filter = { "or": $authRuntimeFilter } )
#else
#set( $ctx.args.filter = { "and": [ { "or": $authRuntimeFilter }, $ctx.args.filter ]} )
#end
#set( $isAuthorized = true )
#end
#end
#if( !$isAuthorized )
$util.unauthorized()
#end
$util.toJson({"version":"2018-05-29","payload":{}})
## [End] Authorization Steps. **
Hi @rezab777, Thank you for sharing the VTL. Could you please clarify the type of authentication the logged-in user is using to initiate the subscription? Specifically, we would like to know if the user belongs to the admin Cognito user group or if they are the owner of the create mutation.
Hi @AnilMaktala
Apologies for the confusion and lack of adequate testing on our end.
To clarify :
Please let me know if I can provide further information.
Thanks
Hey @rezab777, Thank you for providing clarification. It appears that the previous project identifier has expired. Could you please run below command and send us the report and share us the project identifier again.
amplify diagnose --send-report
please refer here
@AnilMaktala Sure here Project Identifier: 888164d0a62c44d3956d89db2613c7ec
Hey @rezab777,Thank you for sharing the diagnose report. Upon reviewing the customer model, it appears that only the admin
group is configured in the schema. Are you considering the client
group as a dynamic group in this context?
@AnilMaktala Hi and sorry for the late response. To answer the question, no we are not considering the client group as a dynamic group.
Hey @rezab777, Sorry for delay. Are you still experiencing this issue?
Hey 👋 , This issue is being closed due to inactivity. If you are still experiencing the same problem and need further assistance, please feel free to leave a comment. This will enable us to reopen the issue and provide you with the necessary support.
This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.
How did you install the Amplify CLI?
No response
If applicable, what version of Node.js are you using?
No response
Amplify CLI Version
12.0.0
What operating system are you using?
Windows
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No
Describe the bug
I had been using amplify cli version 10.5.1 until I upgraded to the latest version i.e. amplify cli version 12.0.0 in order to use the
--minify
flag ( the flag did not work as expected in version 10.5.1) .We are overriding all the auth resolvers as we're using Lambda authorization.
I have noticed that there has been additional logic added to the auth resolvers in the newest version (12.0.0) , namely to search (related to the @searchable directive) and subscription (graphql) auth resolvers .
So I went ahead and updated the search and subscriptions resolvers so they include the latest updates .
Here is what the issue is:
I was able to push the auth resolvers related to search e.g.
Query.searchMeasurements.auth.1.req.vtl
. But the updated auth resolvers related to graphql subscriptions cause the push to fail with the error messageExpected behavior
After updating the custom auth resolvers, changes should deploy.
Reproduction steps
Subscription.onCreateCustomer.auth.1.req.vtl
Project Identifier
Project Identifier: 888164d0a62c44d3956d89db2613c7ec
Session Identifier: 0e8bf909-bc9d-4c5e-a038-cac108108654
Log output
Additional information
No response
Before submitting, please confirm: