search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
89 stars 76 forks source link

Mutations are not authorized when using manyToMany relation and cognito user groups auth | Amplify v6 #2905

Open edlefebvre opened 4 weeks ago

edlefebvre commented 4 weeks ago

Before opening, please confirm:

JavaScript Framework

Vue

Amplify APIs

Authentication, GraphQL API

Amplify Version

v6

Amplify Categories

auth, api

Backend

Amplify CLI

Environment information

``` # Put output below this line System: OS: Linux 6.9 Fedora Linux 39 Container: Yes Shell: 5.9 - /usr/bin/zsh Binaries: Node: 20.8.1 - ~/.nvm/versions/node/v20.8.1/bin/node Yarn: 1.22.21 - /usr/bin/yarn npm: 10.2.5 - ~/.nvm/versions/node/v20.8.1/bin/npm Browsers: Chrome: 128.0.6613.84 npmPackages: @aws-amplify/ui-vue: ^4.2.0 => 4.2.0 @vitejs/plugin-vue: ^5.1.2 => 5.1.2 aws-amplify: ^6.5.3 => 6.5.3 aws-amplify/adapter-core: undefined () aws-amplify/analytics: undefined () aws-amplify/analytics/kinesis: undefined () aws-amplify/analytics/kinesis-firehose: undefined () aws-amplify/analytics/personalize: undefined () aws-amplify/analytics/pinpoint: undefined () aws-amplify/api: undefined () aws-amplify/api/server: undefined () aws-amplify/auth: undefined () aws-amplify/auth/cognito: undefined () aws-amplify/auth/cognito/server: undefined () aws-amplify/auth/enable-oauth-listener: undefined () aws-amplify/auth/server: undefined () aws-amplify/data: undefined () aws-amplify/data/server: undefined () aws-amplify/datastore: undefined () aws-amplify/in-app-messaging: undefined () aws-amplify/in-app-messaging/pinpoint: undefined () aws-amplify/push-notifications: undefined () aws-amplify/push-notifications/pinpoint: undefined () aws-amplify/storage: undefined () aws-amplify/storage/s3: undefined () aws-amplify/storage/s3/server: undefined () aws-amplify/storage/server: undefined () aws-amplify/utils: undefined () vite: ^5.4.2 => 5.4.2 vue: ^3.4.15 => 3.4.38 vue-router: ^4.2.5 => 4.2.5 npmGlobalPackages: @aws-amplify/cli: 12.12.6 npm: 10.2.5 ```

Describe the bug

I can't write mutation for manyToMany relations with Amplify v6, I get an unauthorized error.

I've seen this bug (13226) which could be related, except I don't use Datastore.

Consider this graphql schema:

type TestAuth
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["admin"] },
      { allow: groups, groupsField: "create", operations: [create] },
      { allow: groups, groupsField: "read", operations: [read] },
      { allow: groups, groupsField: "update", operations: [update] },
      { allow: groups, groupsField: "delete", operations: [delete] }
    ]
  )
{
  id: ID!
  tenant: String!
  name: String
  sites: [TestAuthSite] @manyToMany(relationName: "TestAuthSiteLinks")
  create: [String] 
  read: [String] 
  update: [String] 
  delete: [String] 
}

type TestAuthSite
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["admin"] },
      { allow: groups, groupsField: "create", operations: [create] },
      { allow: groups, groupsField: "read", operations: [read] },
      { allow: groups, groupsField: "update", operations: [update] },
      { allow: groups, groupsField: "delete", operations: [delete] }
    ]
  )
{
  id: ID!
  tenant: String!
  name: String
  testauth: [TestAuth] @manyToMany(relationName: "TestAuthSiteLinks")
  create: [String]
  read: [String] 
  update: [String] 
  delete: [String]
}

Using a user with a cognito group 'Manager' that as CRUD rights on these two models, I'm able to create TestAuth and TestAuthSite. But createTestAuthSiteLinks mutation throws an error Not Authorized to access createTestAuthSiteLinks on type Mutation.

I tried this directly in AppSync and in my app, both failed.

Any help much appreciated!

Expected behavior

Should be able to write mutations for linking manyTomany relations when models to join have both auth set up with cognito groups.

Reproduction steps

  1. Use the suggested graphql schema
  2. Create a TestAuth
  3. Create a TestAuthSite
  4. Try to create a TestAuthSiteLinks and see the error

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

edlefebvre commented 4 weeks ago

As a workaround, I'm now using two @hasMany <=> @belongsTo relationships with same auth settings used for the models to join.

chrisbonifacio commented 3 weeks ago

Hi @edlefebvre 👋 thanks for raising this issue! I will try to reproduce and report back with any findings

chrisbonifacio commented 2 days ago

Hi @edlefebvre Since this is reproducible in the AppSync console, it is likely a graphql transformer issue. Auth rules/resolvers are generated at build-time so I transferred this over to the category-api repo for better support.