search

aws-amplify / amplify-category-api

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development. This plugin provides functionality for the API category, allowing for the creation and management of GraphQL and REST based backends for your amplify project.
https://docs.amplify.aws/
Apache License 2.0
89 stars 78 forks source link

After migration from V1 to V2 Groups failing in search resolvers. #504

Closed n-francky closed 8 months ago

n-francky commented 2 years ago

Before opening, please confirm:

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

14.7.0

Amplify CLI Version

8.2.0

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

no manual changes made

Amplify Categories

api

Amplify Commands

Not applicable

Describe the bug

After a migration from v1 to v2 and changing our schema to meet the requirements from the official document GraphQL Transformer v1 to v2 migration. Then while testing we noticed that we were not able to search all records a user had rights to, users could only see records that they own/ created.

After a long day of debugging and try to find what went wrong. We noticed that the auto generated VTLs for the auth.req (Query.searchReceivers.auth.1.req.vt) was missing the .keyword when setting our groups. e.g: Before:

  "terms_set": {
      "groupsCanRead": { 
          "terms":       $util.defaultIfNull($ctx.identity.claims.get("cognito:groups"), ["___xamznone____"]),
          "minimum_should_match_script": {
              "source": "1"
      }
    }

Then by creating a custom resolver and adding the .keyword like this. it started working.

  "terms_set": {
      "groupsCanRead.keyword": { <---- added the missing keyword
          "terms":       $util.defaultIfNull($ctx.identity.claims.get("cognito:groups"), ["___xamznone____"]),
          "minimum_should_match_script": {
              "source": "1"
      }
    }

Expected behavior

To be able to search and retrieve all the records that the user owns and has rights to.

Reproduction steps

  1. Model with owner and group auth rules
  2. Amplify push api
  3. Search for records using the rules

GraphQL schema(s)

```graphql # Put schemas below this line type Receiver @model @auth( rules: [ { allow: owner, ownerField: "creatorId" } { allow: groups, groupsField: "groupsCanRead", operations: [read] } { allow: groups, groupsField: "groupsCanUpdate", operations: [update] } { allow: groups, groupsField: "groupsCanDelete", operations: [delete] } { allow: groups, groupsField: "admins" } ] ) @searchable { id: ID! ....... } ```

Log output

``` # Put your logs below this line ```

Additional information

No response

ykethan commented 2 years ago

Hey @n-francky, Thank you for reaching out. On replicating the schema in my application I observed the "groupsCanRead.keyword" was generated locally in my Query.searchReceivers.auth.1.req.vtl file when utilizing AppSync transformer v2.

image

In order to further dive deeper into the issue, could you please run amplify api gql-compile and the check the Query.searchReceivers.auth.1.req.vtl file to see if the keyword has been appended. If in case it did not could you please provide us the cli.json file.

ykethan commented 2 years ago

Hello @n-francky, following up on this to see if you are experiencing any issues.

n-francky commented 2 years ago

@ykethan Thanks for your response. no still does not work on my side. here is the cli.jso

{
  "features": {
    "graphqltransformer": {
      "addmissingownerfields": false,
      "improvepluralization": false,
      "validatetypenamereservedwords": true,
      "useexperimentalpipelinedtransformer": true,
      "enableiterativegsiupdates": false,
      "secondarykeyasgsi": false,
      "skipoverridemutationinputtypes": false,
      "transformerversion": 2,
      "suppressschemamigrationprompt": true,
      "securityEnhancementNotification": false,
      "showfieldauthnotification": false
    },
    "frontend-ios": {
      "enablexcodeintegration": false
    },
    "auth": {
      "enablecaseinsensitivity": false,
      "useinclusiveterminology": false,
      "breakcirculardependency": false,
      "forcealiasattributes": false,
      "useenabledmfas": false
    },
    "codegen": {
      "useappsyncmodelgenplugin": false,
      "usedocsgeneratorplugin": false,
      "usetypesgeneratorplugin": false,
      "cleangeneratedmodelsdirectory": false,
      "retaincasestyle": false,
      "addtimestampfields": false,
      "handlelistnullabilitytransparently": false,
      "emitauthprovider": false,
      "generateindexrules": false,
      "enabledartnullsafety": false
    },
    "appsync": {
      "generategraphqlpermissions": false
    },
    "latestregionsupport": {
      "pinpoint": 0,
      "translate": 0,
      "transcribe": 0,
      "rekognition": 0,
      "textract": 0,
      "comprehend": 0
    },
    "project": {
      "overrides": true
    }
  }
}
ykethan commented 2 years ago

Hello @n-francky, Thank you for providing me the cli.json file. I tied to replicate the behaviour with the provided cli.json file but did not observe the missing keyword behaviour.

Could you please try to delete the build folder under the api -> and run amplify api gql-compile. Then check the build Query.searchReceivers.auth.1.req.vtl resolver file.

I did observed a bit of difference in the cli.json from my amplify project but did not run into the missing keyword behaviour. Please find my cli.json as follows.

{
  "features": {
    "graphqltransformer": {
      "addmissingownerfields": true,
      "improvepluralization": false,
      "validatetypenamereservedwords": true,
      "useexperimentalpipelinedtransformer": true,
      "enableiterativegsiupdates": true,
      "secondarykeyasgsi": true,
      "skipoverridemutationinputtypes": true,
      "transformerversion": 2,
      "suppressschemamigrationprompt": true,
      "securityenhancementnotification": false,
      "showfieldauthnotification": false,
      "usesubusernamefordefaultidentityclaim": true,
      "usefieldnameforprimarykeyconnectionfield": false
    },
    "frontend-ios": {
      "enablexcodeintegration": true
    },
    "auth": {
      "enablecaseinsensitivity": true,
      "useinclusiveterminology": true,
      "breakcirculardependency": true,
      "forcealiasattributes": false,
      "useenabledmfas": true
    },
    "codegen": {
      "useappsyncmodelgenplugin": true,
      "usedocsgeneratorplugin": true,
      "usetypesgeneratorplugin": true,
      "cleangeneratedmodelsdirectory": true,
      "retaincasestyle": true,
      "addtimestampfields": true,
      "handlelistnullabilitytransparently": true,
      "emitauthprovider": true,
      "generateindexrules": true,
      "enabledartnullsafety": true
    },
    "appsync": {
      "generategraphqlpermissions": true
    },
    "latestregionsupport": {
      "pinpoint": 1,
      "translate": 1,
      "transcribe": 1,
      "rekognition": 1,
      "textract": 1,
      "comprehend": 1
    },
    "project": {
      "overrides": true
    }
  }
}
n-francky commented 2 years ago

Hello @ykethan, I did delete the build but still the same. And I compare with your cli.json indeed there is some difference. Are you using the same version cli that I am using? mine is 8.2.0.

ykethan commented 2 years ago

Hey @n-francky, yes I tested the gql compile on the CLI version 8.2.0. In order to further dive deeper into the issue could you please send us your Amplify folder at amplify-cli@amazon.com.

n-francky commented 2 years ago

@ykethan could you be more specific, because we have some sensitive information in that folder?

ykethan commented 2 years ago

Hey @n-francky, I understand that the folder has sensitive information. On bring up the issue with the team, in order to further dive deeper into the issue could you please provide us the full schema or the model types being used. If the schema contains business logic that you would not like to share in the github issue, please feel free in sending the schema at amplify-cli@amazon.com.

n-francky commented 2 years ago

Hey @ykethan, I just send the email and referenced this issue.

ykethan commented 2 years ago

Hey @n-francky, Thank you for sending us the email but it appears the attachments have been striped from the email. Could you please try re-sending email or send me the attachments on discord. My handle is ykethan.

n-francky commented 2 years ago

@ykethan I re-send it, if this does not work then I will send it via the discord.

ykethan commented 2 years ago

Hey @n-francky, Thank you for sending us the schema. I was able to reproduce the missing keyword in my application using CLI 8.2.0.

I will be transferring this issue to amplify-category-api repository for visibility.

n-francky commented 2 years ago

hello @ykethan Any updates on this?

phani-srikar commented 8 months ago

Please upgrade your version of CLI and re-open if the issue still exists.