Closed sadaqatdev closed 1 year ago
Hi @sadaqatdev - Can you please share your schema (or at least a subset of it with the public/private models)?
HI @Jordan-Nelson the following is schema
type RoomConnectServiceStatus @model @auth(rules: [{allow: private}, {allow: public, provider: iam, operations: [read]}]) {
id: ID!
isActivatedstatus: Boolean
roomIdstatus: String
serviceIDstatus: String
currentDeviceUidstatus: String
updateTimestatus: AWSDateTime
}
type MqttCloudConfig @model @auth(rules: [{allow: private}, {allow: public, provider: iam, operations: [read]}]) {
id: ID!
ip: String
port: String
password: String
username: String
}
type Nurse @model @auth(rules: [{allow: private}]) {
id: ID!
name: String
phone: AWSPhone!
thumbnail: String
}
type Owner @model @auth(rules: [{allow: private}]) {
id: ID!
roomID: ID
nurseID: ID
}
type Room @model @auth(rules: [{allow: private}, {allow: public, provider: iam, operations: [read]}]) {
id: ID!
title: String
}
type RoomConnecttoService @model @auth(rules: [{allow: private}, {allow: public, provider: iam, operations: [read]}]) {
id: ID!
roomID: ID
serviceID: ID
currentDeviceUid: String
isActivated: Boolean
}
type Services @model @auth(rules: [{allow: private}, {allow: public, provider: iam, operations: [read]}]) {
id: ID!
name: String
ordered: Boolean
fulfilled: Boolean
thumbnail: String
roomConnectoId: String
}
type Patient @model @auth(rules: [{allow: private}]) {
id: ID!
name: String
phone: AWSPhone!
thumbnail: String
}
type SubscribedRooms @model @auth(rules: [{allow: private}]) {
id: ID!
roomID: ID
userID: ID
}
@sadaqatdev - Is the log you provided above to full output? Is there any additional output? For multi auth, it should attempt to perform the sync with the next auth mode if the first fails. It would be helpful to know if there is any additional output after the first sync failure.
I also want to confirm that you have the authModeStrategy
set to AuthModeStrategy.multiAuth
. If you are seeing this work on iOS, then I would assume you do, but can you please confirm? The multi auth docs show how to set that during configuration.
yes I configure multi auth , but not working
Full log output:
Thanks @sadaqatdev. Can you also provide your amplifyconfig.json (with sensitive info masked or removed)?
I see you already commented on https://github.com/aws-amplify/amplify-flutter/issues/1220. This could be related, although it looks like that was resolved a while back.
const amplifyconfig = ''' {
"UserAgent": "aws-amplify-cli/2.0",
"Version": "1.0",
"api": {
"plugins": {
"awsAPIPlugin": {
"sisterhelpbg": {
"endpointType": "GraphQL",
"endpoint": " ",
"region": "eu-west-1",
"authorizationType": "AWS_IAM"
}
}
}
},
"auth": {
"plugins": {
"awsCognitoAuthPlugin": {
"UserAgent": "aws-amplify-cli/0.1.0",
"Version": "0.1.0",
"IdentityManager": {
"Default": {}
},
"AppSync": {
"Default": {
"ApiUrl": " ",
"Region": "eu-west-1",
"AuthMode": "AWS_IAM",
"ClientDatabasePrefix": " "
},
"sisterhelpbg_AMAZON_COGNITO_USER_POOLS": {
"ApiUrl": " ",
"Region": "eu-west-1",
"AuthMode": "AMAZON_COGNITO_USER_POOLS",
"ClientDatabasePrefix": " "
}
},
"CredentialsProvider": {
"CognitoIdentity": {
"Default": {
"PoolId": " ",
"Region": "eu-west-1"
}
}
},
"CognitoUserPool": {
"Default": {
"PoolId": " ",
"AppClientId": " ",
"Region": "eu-west-1"
}
},
"Auth": {
"Default": {
"authenticationFlowType": "USER_SRP_AUTH",
"socialProviders": [],
"usernameAttributes": [
"PHONE_NUMBER"
],
"signupAttributes": [
"PHONE_NUMBER"
],
"passwordProtectionSettings": {
"passwordPolicyMinLength": 8,
"passwordPolicyCharacters": []
},
"mfaConfiguration": "OFF",
"mfaTypes": [
"SMS"
],
"verificationMechanisms": [
"EMAIL"
]
}
}
}
}
}
}''';
From testing, I saw unexpected behaviors with DataStore with both amplify-swift and amplify-android libraries.
To summarize the issue:
When use mixed auth rules, i.e. public permission and private/owner permission, DataStore fails to allow the public access when there is no authenticated user session.
Take schema
type UserProfile @model @auth(rules: [{ allow: owner }]) {
id: ID!
name: String!
}
type ModelA @model @auth(rules: [{ allow: public, provider: apiKey }]) {
id: ID!
content: String
}
type ModelB
@model
@auth(
rules: [
{ allow: public, provider: apiKey, operations: [read] }
{ allow: owner }
]
) {
id: ID!
content: String
}
type ModelC
@model
@auth(
rules: [
{ allow: public, provider: apiKey, operations: [read] }
{ allow: private, provider: userPools }
]
) {
id: ID!
content: String
}
When configure DataStore to use multi-auth mode with NO authenticated session:
As a developer, I want my end users to have read
access to Model A B and C, including receiving subscription events.
models | sync queries | subscriptions |
---|---|---|
UserProfile | No | No |
ModelA | Yes | Yes |
ModelB | Yes | Yes |
ModelC | Yes | Yes |
models | sync queries | subscriptions |
---|---|---|
UserProfile | No | No |
ModelA | No | No |
ModelB | No | No |
ModelC | No | No |
What happened: with amplify-android, it attempted to create subscription for UserProfile
, when there was no authenticated user session, the subscription failed, and put DataStore into the LOCAL_ONLY
mode. The should-be-allowed read operations on other models were not working. This make the multi-auth mode unusable.
As a developer, I want my end users to have read
access to Model A B and C, including receiving subscription events.
models | sync queries | subscriptions |
---|---|---|
UserProfile | No | No |
ModelA | Yes | Yes |
ModelB | Yes | Yes |
ModelC | Yes | Yes |
models | sync queries | subscriptions |
---|---|---|
UserProfile | No | No |
ModelA | Yes | Yes |
ModelB | Yes | No |
ModelC | Yes | No |
What happened: amplify-swift attempted to establish subscriptions for ModelB
and ModelC
using user credentials, after failure, it doesn’t attemp to establish subscriptions with API key. So the App cannot receive any update of ModelB
and ModelC
while the public read is allowed on these two models.
I also quick tested with GraphQL API, cognito + API Key. Whenever I try to access without cognito user, even public model. It gives error.
Hi @MarlonJD thanks for testing and following up.
I believe the API plugin doesn't have a automatic fall-back mechanism like DataStore to choose a working auth strategy.
If you are using multi-auth with API plugin, you probably need to specify which auth mode you are going to use when initiate an operation. Details see: https://docs.amplify.aws/lib/graphqlapi/authz/q/platform/flutter/#configure-multiple-authorization-modes
Hi @MarlonJD thanks for testing and following up.
I believe the API plugin doesn't have a automatic fall-back mechanism like DataStore to choose a working auth strategy.
If you are using multi-auth with API plugin, you probably need to specify which auth mode you are going to use when initiate an operation. Details see: https://docs.amplify.aws/lib/graphqlapi/authz/q/platform/flutter/#configure-multiple-authorization-modes
Hmm I'm using API GraphQL instead of DataStore but I'll try with specifying apiName. I'll let you know soon
This should be resolved in the next release (after https://github.com/aws-amplify/amplify-flutter/pull/3612 is merged). Given the following schema, below are the results for an unauthenticated user. The results are the same on iOS and Android.
models | sync queries | subscriptions |
---|---|---|
UserProfile | No | No |
ModelA | Yes | Yes |
ModelB | Yes | Yes |
ModelC | Yes | Yes |
type UserProfile @model @auth(rules: [{ allow: owner }]) {
id: ID!
name: String!
}
type ModelA @model @auth(rules: [{ allow: public, provider: apiKey }]) {
id: ID!
content: String
}
type ModelB
@model
@auth(
rules: [
{ allow: public, provider: apiKey, operations: [read] }
{ allow: owner }
]
) {
id: ID!
content: String
}
type ModelC
@model
@auth(
rules: [
{ allow: public, provider: apiKey, operations: [read] }
{ allow: private, provider: userPools }
]
) {
id: ID!
content: String
}
Awesome, happy to hear that, I couldn't use datastore for this reasons. I'll try when it comes to release. Thanks!
As mentioned above, this should be resolved as of v1.4.0
Description
without login public models are not syn in android , iOS works fine
Categories
Steps to Reproduce
create public model and use iam auth and add data exception occur
Screenshots
No response
Platforms
Android Device/Emulator API Level
No response
Environment
Dependencies
Device
android Samsung G9
OS
NA
CLI Version
8.3.1
Additional Context
No response