Closed dorontal closed 1 year ago
Hi @AnilMaktala - just trying to provide more info here: I noticed this other issue that may be related here. Please keep in mind that currently the default authorization mode is Cognito and also that the search table queries do work. Also: many other queries have worked for me with this schema and with Cognito as the default authorization mode. This issue is for the case when an unauth IAM user tries to do a listProjects
query. Thanks!
@AnilMaktala the following is quite interesting / related: I have been trying to "open up" the above schema so that I can continue working on my project, by removing all field level authorization rules and by providing, in the same schema, the rules that open every operation to public and private and owner (except that I did not touch the Search model because it was not related) -- after making all of these permissions changes and opening things up, the same exact issue remains:
Query failed: UnknownException { "message": "unable to send GraphQLRequest to client.", "underlyingException": "SignedOutException {\n \"message\": \"No user is currently signed in\"\n}" }
i.e, same response to the listQueries()
call shown above.
@AnilMaktala I have done one more test to try and open up the authentication restrictions so that I can continue to work with the UX, but even that new test did not succeed. It is illuminating, however, so I'll describe it. In short, removed all authentication code from the VTL resolver -- still, a IAM (unAuth role) cannot listProjects
- with this same issue ...
There are 4 resolvers associated with Query.listProjects
:
> ls amplify/backend/api/tracktunes/build/resolvers/Query.listProjects.*
amplify/backend/api/tracktunes/build/resolvers/Query.listProjects.auth.1.req.vtl
amplify/backend/api/tracktunes/build/resolvers/Query.listProjects.postAuth.1.req.vtl
amplify/backend/api/tracktunes/build/resolvers/Query.listProjects.req.vtl
amplify/backend/api/tracktunes/build/resolvers/Query.listProjects.res.vtl
I modified the contents of Query.listProjects.auth.1.req.vtl
to remove authentication and put the new file in
amplify/backend/api/tracktunes/resolvers/Query.listProjects.auth.1.req.vtl
The new code in that file is just this:
## [Start] Authorization Steps. **
$util.qr($ctx.stash.put("hasAuth", true))
#set( $isAuthorized = true )
#set( $primaryFieldMap = {} )
$util.toJson({"version":"2018-05-29","payload":{}})
## [End] Authorization Steps. **
Still, I get the exact same exception thrown as described above!
This suggests that the problem is probably not with the VTL code, it probably is in the Dart Amplify library code.
@AnilMaktala I solved the issue and it is no longer an issue! Here's the summary of the solution:
This was not a problem with any VTL resolver code.
This was not a problem with @auth
directives in the schema - they were correct.
It was a wrong setup problem with amplifyconfiguration.dart
- a new API block has to be created in amplifyconfiguration.dart
when using multi-auth -- just copy the block in there with authorizationType: AMAZON_COGNITO_USER_POOLS
into a new block in the same API section and change just the authorizationType
value in the new block to be "authorizationType": "AWS_IAM"
, and also change the name of the entire block at the top of it to something different (in this case it was changed to tracktunesGuest
). Here are the changes from the OLD section in amplifyconfiguration.dart
:
"awsAPIPlugin": {
"tracktunes": {
"endpointType": "GraphQL",
"endpoint": "https://sbtbwxoahfhfviwomoz3eg5t2e.appsync-api.us-east-1.amazonaws.com/graphql",
"region": "us-east-1",
"authorizationType": "AMAZON_COGNITO_USER_POOLS"
},
to:
"awsAPIPlugin": {
"tracktunes": {
"endpointType": "GraphQL",
"endpoint": "https://sbtbwxoahfhfviwomoz3eg5t2e.appsync-api.us-east-1.amazonaws.com/graphql",
"region": "us-east-1",
"authorizationType": "AMAZON_COGNITO_USER_POOLS"
},
"tracktunesGuest": {
"endpointType": "GraphQL",
"endpoint": "https://sbtbwxoahfhfviwomoz3eg5t2e.appsync-api.us-east-1.amazonaws.com/graphql",
"region": "us-east-1",
"authorizationType": "AWS_IAM"
},
Then in your code instead of using
final request = ModelQueries.list(Project.classType);
as in the code above, change it to:
final request = ModelQueries.list(Project.classType,
authorizationMode: APIAuthorizationType.iam,
apiName: 'tracktunesGuest');
And now multi-auth is working allowing guests to read while giving more permissions to signed in users.
This blog helped me solve this issue - extending a thank you to FullstackPho
!
Thank you @dorontal for the great write-up, this just saved me HOURS of work!! 🙌
@dorontal @tiyberius Glad you found my blog post useful and happy it is still (somewhat?) relevant almost 4 years after writing it! Thanks so much for the shoutout, really makes it worth it! :)
How did you install the Amplify CLI?
npm -g
If applicable, what version of Node.js are you using?
v18.13.0
Amplify CLI Version
12.2.3
What operating system are you using?
Debian 12
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No manual changes - using all auto-generated resolvers in this issue, for example.
Describe the bug
This issue may be related to #1760, it may even be the same issue.
I have tried to open up an API model for access by
unAuth
role by adding{ allow: private, operations: [read] }
to the model@auth
section but I still get an exception when trying to list projects, which says:I have verified first that the
listProjects()
query works when a user is the owner of the projects and is signed in. But when nobody is signed in it should still work with the above permissions but doesn't.Here's the model for which I tried to list all instances:
and here is the
listProjects()
code:Expected behavior
After adding the
@auth
rule above I expectedunAuth
role to be able to list projects, i.e, I expected to be able to successfully execute thelistProjects
query with some results even when no user has yet signed into the application.Reproduction steps
@auth
rulesProject Identifier
860b46330dca368b2540f2cdb87a3485
Log output
Additional information
No response
Before submitting, please confirm: