Datastore Sync and API gives error of unauthorized to UPDATE OR DELETE only

[ErnestDaDev]

Description

In my schema i have @auth with owner with full operations - CRUD, in the app, syncing is done perfectly, it can create and read but it immediately says unauthorized when i attempt to both update or delete the record when it tries to sync, it gets deleted locally but it never makes it to the cloud. I tried with the API directly as you can see in the screenshot and it gives the error unauthorized. Am i doing something wrong somewhere? It just seems strange that i can create and read but explicitly prevents deletion and updating even when i have the permissions. Its been 5 days now of trying still no solution. As you can see attached when i print out the -acm, it confirms owner can perform CRUD. @HuiSF What do you think might be the issue here? Thanks in advance.

Here is the schema.

Categories

• [ ] Analytics
• [ ] API (REST)
• [X] API (GraphQL)
• [X] Auth
• [ ] Authenticator
• [X] DataStore
• [ ] Storage

Steps to Reproduce

No response

Screenshots

Platforms

• [ ] iOS
• [X] Android
• [ ] Web
• [ ] macOS
• [ ] Windows
• [ ] Linux

Android Device/Emulator API Level

API 24, API 32+

Environment

Doctor summary (to see all details, run flutter doctor -v):
[√] Flutter (Channel stable, 3.3.2, on Microsoft Windows [Version 10.0.19044.2006], locale en-GB)
[√] Android toolchain - develop for Android devices (Android SDK version 33.0.0)
[√] Chrome - develop for the web
[√] Visual Studio - develop for Windows (Visual Studio Build Tools 2019 16.11.17)
[√] Android Studio (version 2021.2)
[√] VS Code (version 1.70.0)
[√] Connected device (4 available)
[√] HTTP Host Availability

• No issues found!

Dependencies

Dart SDK 2.18.1
Flutter SDK 3.3.2
app 1.0.0+1

dependencies:
- amplify_api 0.6.8 [amplify_api_android amplify_api_ios amplify_core amplify_flutter aws_common collection flutter meta plugin_platform_interface]
- amplify_auth_cognito 0.6.8 [amplify_auth_cognito_android amplify_auth_cognito_ios amplify_core aws_common collection flutter meta plugin_platform_interface]
- amplify_datastore 0.6.8 [flutter amplify_datastore_plugin_interface amplify_core plugin_platform_interface 
meta collection async]
- amplify_flutter 0.6.8 [amplify_core amplify_datastore_plugin_interface amplify_flutter_android amplify_flutter_ios aws_common collection flutter meta plugin_platform_interface]
- amplify_storage_s3 0.6.8 [amplify_storage_s3_android amplify_storage_s3_ios amplify_core aws_common flutter meta plugin_platform_interface path_provider path]
- animations 2.0.5 [flutter]
- archive 3.3.1 [crypto path]
- auto_size_text 3.0.0 [flutter]
- awesome_notifications 0.7.0-beta.7+5 [flutter flutter_web_plugins plugin_platform_interface intl]
- back_button_interceptor 6.0.1 [collection flutter]
- badges 2.0.3 [flutter]
- cached_network_image 3.2.2 [flutter flutter_cache_manager octo_image cached_network_image_platform_interface cached_network_image_web]
- connectivity_plus 2.3.7 [flutter connectivity_plus_platform_interface connectivity_plus_linux connectivity_plus_macos connectivity_plus_web connectivity_plus_windows]
- cupertino_icons 1.0.5
- device_info_plus 4.1.2 [flutter device_info_plus_platform_interface device_info_plus_macos device_info_plus_linux device_info_plus_web device_info_plus_windows]
- dio 4.0.6 [http_parser path]
- feature_discovery 0.14.1 [flutter provider shared_preferences]
- firebase_app_check 0.0.8 [firebase_app_check_platform_interface firebase_app_check_web firebase_core firebase_core_platform_interface flutter]
- firebase_core 1.24.0 [firebase_core_platform_interface firebase_core_web flutter meta]
- firebase_dynamic_links 4.3.9 [firebase_core firebase_core_platform_interface firebase_dynamic_links_platform_interface flutter meta plugin_platform_interface]
- firebase_messaging 12.0.3 [firebase_core firebase_core_platform_interface firebase_messaging_platform_interface firebase_messaging_web flutter meta]
- flutter 0.0.0 [characters collection material_color_utilities meta vector_math sky_engine]
- flutter_accessibility_service 0.2.2 [flutter]
- flutter_dotenv 5.0.2 [flutter]
- flutter_form_builder 7.6.0 [flutter intl collection]
- flutter_native_splash 2.2.5 [args flutter flutter_web_plugins image js lint meta path universal_io xml yaml]
- flutter_scroll_to_top 2.2.4 [flutter]
- flutter_secure_storage 6.0.0 [flutter flutter_secure_storage_linux flutter_secure_storage_macos flutter_secure_storage_platform_interface flutter_secure_storage_web flutter_secure_storage_windows meta]
- font_awesome_flutter 10.2.1 [flutter]
- form_builder_validators 8.3.0 [flutter flutter_localizations intl]
- get 4.6.5 [flutter]
- grouped_list 5.1.2 [flutter]
- hive 2.2.3 [meta crypto]
- hive_flutter 1.1.0 [flutter hive path_provider path]
- image 3.2.0 [archive meta xml]
- image_picker 0.8.5+3 [flutter image_picker_android image_picker_for_web image_picker_ios image_picker_platform_interface]
- intl 0.17.0 [clock path]
- introduction_screen 3.0.2 [flutter dots_indicator collection]
- multi_select_flutter 4.1.2 [flutter collection]
- path 1.8.2
- path_provider 2.0.11 [flutter path_provider_android path_provider_ios path_provider_linux path_provider_macos path_provider_platform_interface path_provider_windows]
- permission_handler 10.0.2 [flutter meta permission_handler_android permission_handler_apple permission_handler_windows permission_handler_platform_interface]
- pin_plus_keyboard 2.0.5 [flutter]
- pinput 2.2.12 [flutter smart_auth]
- pull_to_refresh_flutter3 2.0.1 [flutter]
- responsive_framework 0.2.0 [flutter collection]
- share_plus 4.4.0 [meta mime flutter share_plus_platform_interface share_plus_linux share_plus_macos share_plus_windows share_plus_web]
- shared_preferences 2.0.15 [flutter shared_preferences_android shared_preferences_ios shared_preferences_linux shared_preferences_macos shared_preferences_platform_interface shared_preferences_web shared_preferences_windows]
- skeletons 0.0.3 [flutter]
- syncfusion_flutter_charts 20.3.47 [flutter intl vector_math syncfusion_flutter_core]
- telephony 0.2.0 [flutter platform]
- ussd_advanced 1.0.0 [flutter]
- uuid 3.0.6 [crypto]

transitive dependencies:
- _flutterfire_internals 1.0.1 [cloud_firestore_platform_interface cloud_firestore_web collection firebase_core firebase_core_platform_interface flutter meta]
- amplify_api_android 0.6.8 [flutter]
- amplify_api_ios 0.6.8 [amplify_core flutter]
- amplify_auth_cognito_android 0.6.8 [flutter]
- amplify_auth_cognito_ios 0.6.8 [amplify_core flutter]
- amplify_core 0.6.8 [aws_common collection flutter intl json_annotation meta plugin_platform_interface uuid]- amplify_datastore_plugin_interface 0.6.8 [amplify_core collection flutter meta]
- amplify_flutter_android 0.6.8 [flutter]
- amplify_flutter_ios 0.6.8 [amplify_core flutter]
- amplify_storage_s3_android 0.6.8 [flutter]
- amplify_storage_s3_ios 0.6.8 [flutter]
- args 2.3.1
- async 2.9.0 [collection meta]
- aws_common 0.1.1 [async collection http meta stream_transform uuid]
- boolean_selector 2.1.0 [source_span string_scanner]
- cached_network_image_platform_interface 2.0.0 [flutter flutter_cache_manager]
- cached_network_image_web 1.0.2 [flutter flutter_cache_manager cached_network_image_platform_interface]     
- characters 1.2.1
- clock 1.1.1
- cloud_firestore_platform_interface 5.7.6 [_flutterfire_internals collection firebase_core flutter meta plugin_platform_interface]
- cloud_firestore_web 2.8.9 [_flutterfire_internals cloud_firestore_platform_interface collection firebase_core firebase_core_web flutter flutter_web_plugins js]
- collection 1.16.0
- connectivity_plus_linux 1.3.1 [flutter connectivity_plus_platform_interface meta nm]
- connectivity_plus_macos 1.2.4 [connectivity_plus_platform_interface flutter]
- connectivity_plus_platform_interface 1.2.1 [flutter meta plugin_platform_interface]
- connectivity_plus_web 1.2.3 [connectivity_plus_platform_interface flutter_web_plugins flutter]
- connectivity_plus_windows 1.2.2 [connectivity_plus_platform_interface flutter]
- cross_file 0.3.3+1 [js meta]
- crypto 3.0.2 [typed_data]
- dbus 0.7.7 [args ffi meta xml]
- device_info_plus_linux 3.0.0 [device_info_plus_platform_interface file flutter meta]
- device_info_plus_macos 3.0.0 [device_info_plus_platform_interface flutter]
- device_info_plus_platform_interface 3.0.0 [flutter meta plugin_platform_interface]
- device_info_plus_web 3.0.0 [device_info_plus_platform_interface flutter_web_plugins flutter]
- device_info_plus_windows 4.1.0 [device_info_plus_platform_interface ffi flutter win32]
- dots_indicator 2.1.0 [flutter]
- fake_async 1.3.1 [clock collection]
- ffi 2.0.1
- file 6.1.2 [meta path]
- firebase_app_check_platform_interface 0.0.5 [_flutterfire_internals firebase_core flutter meta plugin_platform_interface]
- firebase_app_check_web 0.0.7 [_flutterfire_internals firebase_app_check_platform_interface firebase_core firebase_core_web flutter flutter_web_plugins js]
- firebase_core_platform_interface 4.5.1 [collection flutter flutter_test meta plugin_platform_interface]    
- firebase_core_web 1.7.3 [firebase_core_platform_interface flutter flutter_web_plugins js meta]
- firebase_dynamic_links_platform_interface 0.2.3+14 [_flutterfire_internals firebase_core flutter meta plugin_platform_interface]
- firebase_messaging_platform_interface 4.1.6 [_flutterfire_internals firebase_core flutter meta plugin_platform_interface]
- firebase_messaging_web 3.1.6 [_flutterfire_internals firebase_core firebase_core_web firebase_messaging_platform_interface flutter flutter_web_plugins js meta]
- flutter_blurhash 0.7.0 [flutter]
- flutter_cache_manager 3.3.0 [clock collection file flutter http path path_provider pedantic rxdart sqflite 
uuid]
- flutter_localizations 0.0.0 [flutter intl characters clock collection material_color_utilities meta path vector_math]
- flutter_plugin_android_lifecycle 2.0.7 [flutter]
- flutter_secure_storage_linux 1.1.1 [flutter flutter_secure_storage_platform_interface]
- flutter_secure_storage_macos 1.1.1 [flutter flutter_secure_storage_platform_interface]
- flutter_secure_storage_platform_interface 1.0.0 [flutter plugin_platform_interface]
- flutter_secure_storage_web 1.0.2 [flutter flutter_web_plugins flutter_secure_storage_platform_interface js]- flutter_secure_storage_windows 1.1.2 [flutter flutter_secure_storage_platform_interface]
- flutter_test 0.0.0 [flutter test_api path fake_async clock stack_trace vector_math async boolean_selector characters collection matcher material_color_utilities meta source_span stream_channel string_scanner term_glyph]
- flutter_web_plugins 0.0.0 [flutter js characters collection material_color_utilities meta vector_math]     
- http 0.13.4 [async http_parser meta path]
- http_parser 4.0.1 [collection source_span string_scanner typed_data]
- image_picker_android 0.8.5+1 [flutter flutter_plugin_android_lifecycle image_picker_platform_interface]    
- image_picker_for_web 2.1.8 [flutter flutter_web_plugins image_picker_platform_interface]
- image_picker_ios 0.8.5+6 [flutter image_picker_platform_interface]
- image_picker_platform_interface 2.5.0 [cross_file flutter http plugin_platform_interface]
- js 0.6.4
- json_annotation 4.6.0 [meta]
- lint 1.8.2
- matcher 0.12.12 [stack_trace]
- material_color_utilities 0.1.5
- meta 1.8.0
- mime 1.0.2
- nested 1.0.0 [flutter]
- nm 0.5.0 [dbus]
- octo_image 1.0.2 [flutter flutter_blurhash]
- path_provider_android 2.0.16 [flutter path_provider_platform_interface]
- path_provider_ios 2.0.10 [flutter path_provider_platform_interface]
- path_provider_linux 2.1.7 [ffi flutter path path_provider_platform_interface xdg_directories]
- path_provider_macos 2.0.6 [flutter path_provider_platform_interface]
- path_provider_platform_interface 2.0.4 [flutter platform plugin_platform_interface]
- path_provider_windows 2.1.0 [ffi flutter path path_provider_platform_interface win32]
- pedantic 1.11.1
- permission_handler_android 10.0.0 [flutter permission_handler_platform_interface]
- permission_handler_apple 9.0.4 [flutter permission_handler_platform_interface]
- permission_handler_platform_interface 3.7.0 [flutter meta plugin_platform_interface]
- permission_handler_windows 0.1.0 [flutter permission_handler_platform_interface]
- petitparser 5.0.0 [meta]
- platform 3.1.0
- plugin_platform_interface 2.1.2 [meta]
- process 4.2.4 [file path platform]
- provider 6.0.3 [collection flutter nested]
- rxdart 0.27.5
- share_plus_linux 3.0.0 [share_plus_platform_interface file flutter meta url_launcher]
- share_plus_macos 3.0.1 [share_plus_platform_interface flutter]
- share_plus_platform_interface 3.0.3 [flutter meta mime plugin_platform_interface]
- share_plus_web 3.0.1 [share_plus_platform_interface url_launcher flutter flutter_web_plugins meta]
- share_plus_windows 3.0.1 [share_plus_platform_interface flutter meta url_launcher]
- shared_preferences_android 2.0.12 [flutter shared_preferences_platform_interface]
- shared_preferences_ios 2.1.1 [flutter shared_preferences_platform_interface]
- shared_preferences_linux 2.1.1 [file flutter path path_provider_linux path_provider_platform_interface shared_preferences_platform_interface]
- shared_preferences_macos 2.0.4 [flutter shared_preferences_platform_interface]
- shared_preferences_platform_interface 2.0.0 [flutter]
- shared_preferences_web 2.0.4 [flutter flutter_web_plugins shared_preferences_platform_interface]
- shared_preferences_windows 2.1.1 [file flutter path path_provider_platform_interface path_provider_windows 
shared_preferences_platform_interface]
- sky_engine 0.0.99
- smart_auth 1.0.5 [flutter flutter_web_plugins]
- source_span 1.9.0 [collection path term_glyph]
- sqflite 2.0.3 [flutter sqflite_common path]
- sqflite_common 2.2.1+1 [synchronized path meta]
- stack_trace 1.10.0 [path]
- stream_channel 2.1.0 [async]
- stream_transform 2.0.0
- string_scanner 1.1.1 [source_span]
- syncfusion_flutter_core 20.3.47 [vector_math flutter]
- synchronized 3.0.0+2
- term_glyph 1.2.1
- test_api 0.4.12 [async boolean_selector collection meta source_span stack_trace stream_channel string_scanner term_glyph matcher]
- typed_data 1.3.1 [collection]
- universal_io 2.0.4 [collection crypto meta typed_data]
- url_launcher 6.1.5 [flutter url_launcher_android url_launcher_ios url_launcher_linux url_launcher_macos url_launcher_platform_interface url_launcher_web url_launcher_windows]
- url_launcher_android 6.0.17 [flutter url_launcher_platform_interface]
- url_launcher_ios 6.0.17 [flutter url_launcher_platform_interface]
- url_launcher_linux 3.0.1 [flutter url_launcher_platform_interface]
- url_launcher_macos 3.0.1 [flutter url_launcher_platform_interface]
- url_launcher_platform_interface 2.1.0 [flutter plugin_platform_interface]
- url_launcher_web 2.0.12 [flutter flutter_web_plugins url_launcher_platform_interface]
- url_launcher_windows 3.0.1 [flutter url_launcher_platform_interface]
- vector_math 2.1.2
- win32 2.7.0 [ffi]
- xdg_directories 0.2.0+1 [meta path process]
- xml 6.1.0 [collection meta petitparser]
- yaml 3.1.1 [collection source_span string_scanner]

Device

NA

OS

Android 10

Deployment Method

Amplify CLI

CLI Version

10.2.2

Additional Context

No response

Amplify Config

{ "UserAgent": "aws-amplify-cli/2.0", "Version": "1.0", "api": { "plugins": { "awsAPIPlugin": { "app": { "endpointType": "GraphQL", "endpoint": "hidden", "region": "eu-west-2", "authorizationType": "AMAZON_COGNITO_USER_POOLS", "apiKey": hiddeni" } } } }, "auth": { "plugins": { "awsCognitoAuthPlugin": { "UserAgent": "aws-amplify-cli/0.1.0", "Version": "0.1.0", "IdentityManager": { "Default": {} }, "CredentialsProvider": { "CognitoIdentity": { "Default": { "PoolId": "hidden", "Region": "eu-west-2" } } }, "CognitoUserPool": { "Default": { "PoolId": "hidden", "AppClientId": "hidden", "Region": "eu-west-2" } }, "Auth": { "Default": { "authenticationFlowType": "USER_SRP_AUTH", "socialProviders": [], "usernameAttributes": [ "PHONE_NUMBER" ], "signupAttributes": [ "EMAIL" ], "passwordProtectionSettings": { "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [] }, "mfaConfiguration": "OFF", "mfaTypes": [ "SMS" ], "verificationMechanisms": [ "PHONE_NUMBER" ] } }, "AppSync": { "Default": { "ApiUrl": "hidden", "Region": "eu-west-2", "AuthMode": "AMAZON_COGNITO_USER_POOLS", "ClientDatabasePrefix": "app_AMAZON_COGNITO_USER_POOLS" }, "app_API_KEY": { "ApiUrl": "hidden", "Region": "eu-west-2", "AuthMode": "API_KEY", "ApiKey": "hidden", "ClientDatabasePrefix": "app_API_KEY" }, "app_AWS_IAM": { "ApiUrl": "hidden", "Region": "eu-west-2", "AuthMode": "AWS_IAM", "ClientDatabasePrefix": "app_AWS_IAM" } } } } } }

[ErnestDaDev]

So i fugured out, the unathourized on owner was referring to the owner field on the schema - owner: String @auth(rules: [{ allow: owner, operations: [create, read] }])

so after i changed it to owner: String @auth(rules: [{ allow: owner, operations: [create, read, update, delete] }])

it works now. So the question actually is how do i get the owner to update or delete a record without touching the owner field, initially i knew AWS Amplify did not allow us to touch the field if not explicitly stated in the @auth

In the docs, it says To prevent an owner from reassigning their record to another user, protect the owner field (by default owner: String) with a field-level authorization rule. For example, in a social media app, you would want to prevent Alice from being able to reassign Alice's Post to Bob.

type Todo @model @auth(rules: [{ allow: owner }]) { id: ID! description: String owner: String @auth(rules: [{ allow: owner, operations: [read, delete] }]) }

So the question actually is how do i get the owner to update or delete a record without touching the owner field on server side?

[mlaube]

I have the same problem after fulfilling the Amplify CLI recommendations:

⚠️ WARNING: owners may reassign ownership for the following model(s) and role(s): Place: [owner], RepoTimeRange: [owner]. If this is not intentional, you may want to apply field-level authorization rules to these fields. To read more: https://docs.amplify.aws/cli/graphql/authorization-rules/#per-user--owner-based-data-access.

amplify cli version 10.3.0

amplify_datastore: ^0.6.9 amplify_flutter: ^0.6.9

[HuiSF]

Hi @ErnestDaDev @mlaube field level auth is not applicable to DataStore.

For your example use case @ErnestDaDev when you use owner auth, by default, you don't need to list the owner field in the model, unless you wanted to override this field. By default, the default owner field is not explicit in the generated model, where when you update the model, you are not able to reassign the owner field.

e.g. take model

type TestAuth @model @auth(rules: [{allow: owner}]) {
  id: ID!
  content: String
}

Generated model fields

@immutable
class TestAuth extends Model {
  static const classType = const _TestAuthModelType();
  final String id;
  final String? _content;
  final TemporalDateTime? _createdAt;
  final TemporalDateTime? _updatedAt;
  ...
}

Please let me know if this helps or you have other questions regarding this use case.

[Jordan-Nelson]

@ErnestDaDev @mlaube - Please let us know if the info above does not answer the question, or if you have other questions. Thanks.

[ErnestDaDev]

@Jordan-Nelson yes this answers it so the error in the console applies to API directly, that is using GRAPHQL mutation?

[HuiSF]

What console are you referring to @ErnestDaDev ? AppSync console? Or your IDE debugger? When you see the error are you using DataStore? Or the API plugin individually?

[HuiSF]

In general, field level auth has not been formally supported in Amplify libraries including both API and DataStore plugins.

[mlaube]

@ErnestDaDev @mlaube - Please let us know if the info above does not answer the question, or if you have other questions. Thanks.

After removing owner field from the model, Amplify CLI still warning:

⚠️ WARNING: owners may reassign ownership for the following model(s) and role(s): RepoPlace: [owner], RepoZone: [owner], RepoTimeRange: [owner]. If this is not intentional, you may want to apply field-level authorization rules to these fields. To read more: https://docs.amplify.aws/cli/graphql/authorization-rules/#per-user--owner-based-data-access.

amplify cli version 10.5.1

amplify_datastore: ^0.6.10 amplify_flutter: ^0.6.10

[HuiSF]

Hi @mlaube you can safely ignore this warning when with DataStore use cases.

[mlaube]

OK thanks