search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 821 forks source link

@auth with multiple ownerField #3980

Closed andreialecu closed 4 years ago

andreialecu commented 4 years ago

Which Category is your question related to?

auth

Amplify CLI Version

You can use amplify -v to check the amplify cli version on your system

4.18.0

What AWS Services are you utilizing?

appsync + cognito

Provide additional details e.g. code snippets

We're running into an issue with allowing two separate users access over a single model. This is the schema:

type Friend
  @model(subscriptions: null)
  @auth(
    rules: [
      { allow: owner, ownerField: "userId" }, 
      { allow: owner, ownerField: "friendId" }, # allow the friend at the other end to delete it
      { allow: groups, groups: ["Admins"] } # allow admins full access
    ]
  ) {
  id: ID!
  userId: ID!
  user: User @connection(fields: ["userId"])
  friendId: ID!
  friend: User @connection(fields: ["friendId"])
  accept: Boolean # allow the friend at the other end to accept it
}

The main owner (userId == cognito.username) can modify the record, but friendId cannot.

I have even tried it on the appsync console:

mutation DeleteFriend($input: DeleteFriendInput!) {
  deleteFriend(input: $input) {
    id
    userId
    friendId

  }
}

The error is as follows:

{
  "data": {
    "deleteFriend": null
  },
  "errors": [
    {
      "path": [
        "deleteFriend"
      ],
      "data": {
        "id": "0a193cbc-d8f2-47fc-b860-a6650fdf32bf",
        "userId": "3b2a20ab-221b-40b1-a08b-c97235c7f19f",
        "friendId": "ca2aa5f0-5544-4d30-aec7-e7ad68b0b236"
      },
      "errorType": "DynamoDB:ConditionalCheckFailedException",
      "errorInfo": null,
      "locations": [
        {
          "line": 2,
          "column": 3,
          "sourceName": null
        }
      ],
      "message": "The conditional request failed (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: ConditionalCheckFailedException; Request ID: M3Q254VSMNUJV3L5O13GDFJBHVVV4KQNSO5AEMVJF66Q9ASUAAJG)"
    }
  ]
}

Here's a screenshot that confirms on the appsync console that the current logged in user is the same user as what friendId is assigned to.

image

What could be wrong?

An additional question: Why is the owner field still being populated in dynamodb? The initial model didn't specify an ownerField, but it seems new records still get assigned the owner field. Shouldn't it just populate and use userId instead?

andreialecu commented 4 years ago

Upon further investigation, it seems even after removing all @auth directives from the model the error persists.

I think amplify push is not updating cloud AWS resources properly even though it detects changes and succeeds in pushing:

UPDATE_COMPLETE apix AWS::CloudFormation::Stack Thu Apr 16 2020 18:56:36 GMT+0300 (Eastern European Summer Time) 
⠇ Updating resources in the cloud. This may take a few minutes...

UPDATE_COMPLETE x-dev-y AWS::CloudFormation::Stack Thu Apr 16 2020 18:56:41 GMT+0300 (Eastern European Summer Time) 
UPDATE_COMPLETE authxff7aed9e        AWS::CloudFormation::Stack Thu Apr 16 2020 18:56:40 GMT+0300 (Eastern European Summer Time) 
✔ Generated GraphQL operations successfully and saved at ../../../../s/Projects/x/src/graphql
✔ Code generated successfully and saved in file ../../../../s/Projects/x/src/API.ts
✔ All resources are updated in the cloud

GraphQL endpoint: https://xyz.appsync-api.eu-west-1.amazonaws.com/graphql
andreialecu commented 4 years ago

Update:

It looks like the Resolver for Mutation.deleteFriend as per the AppSync console does not match the contents of amplify/backend/api/xyz/build/resolvers/Mutation.deleteFriend.req.vtl and is never being updated even though modifying the schema and pushing it results in a bunch of cloudformation updates being completed properly.

The contents of the resolver on AppSync is the same as the initial one where the default owner field was being used.

So the files in amplify/backend/api/xyz/build/resolvers/ are being updated, but they are not updating in AppSync even though amplify push is completing successfully.

andreialecu commented 4 years ago

Looks like this was again related to the path saved in amplify/.config/local-env-info.json/projectPath after creating a copy of the project.

The project was copied to a new directory but the path in the configuration json remained the old one.

Please do something to validate whether the path is correct at least for the current project when the amplify cli is called, if it cannot be automatically determined for some reason.

This makes it a duplicate of https://github.com/aws-amplify/amplify-cli/issues/3901

github-actions[bot] commented 3 years ago

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.