search

aws-amplify / amplify-flutter

A declarative library with an easy-to-use interface for building Flutter applications on AWS.
https://docs.amplify.aws
Apache License 2.0
1.31k stars 247 forks source link

Datastore update auth groups Unauthorized error #5162

Closed jamontesg closed 1 month ago

jamontesg commented 3 months ago

Description

I have a table using authorization rules with cognito groups

type Item @model 
@auth(rules: [
  { allow: groups, groups: ["Admin"], operations: [create, update, read, delete]  }
  { allow: groups, groups: ["Api","Operative"], operations: [create, update, read]  }
  { allow: groups, groups: ["Guest"], operations: [read]  }
  ])

profile Operative has. permission "update" but not. delete.

when I try to update a item whit this code:

final oldItem = (await Amplify.DataStore.query(Item.classType,
            where: Item.TENANTID.eq(itm.tenantId).and(Item.ID.eq(itm.id))))
        .first;

    final List<S3Object>? images = oldItem.images;
    final List<S3Object> nImage = [...img, ...?images];

    final newItem =
        oldItem.copyWith(tenantId: itm.tenantId, id: itm.id, images: nImage);
    try {
      await Amplify.DataStore.save(newItem);
    } on DataStoreException catch (e) {
      developer.log('error saving new image: ${e.message}');
    }

This code only update a field "images" and generates the following error:

AppSync response contained errors = [GraphQLResponse.Error{message='Unauthorized on [production, description,  cattleLot lastOwner, letag, admissionDate, cost, purchase, market, retag, sale]', locations='[GraphQLLocation{line='2', column='3'}]', 

path='[GraphQLPathSegment{value='updateItem'}]', extensions='{errorInfo=null, data=null, errorType=Unauthorized}'}], errors=[GraphQLResponse.Error{message='Unauthorized on [production, description, cattleLot,  lastOwner, letag, admissionDate, cost, purchase, market, retag, sale]', locations='[GraphQLLocation{line='2', column='3'}]',

but, if I add a. "delete" permission

{ allow: groups, groups: ["Api","Operative"], operations: [create, update, read, delete]  }

update record works fine.

Does my update function have any errors? What are the auth rules for. update (without delete permission) ?

Kind regards Thanks. for your. time

Categories

Steps to Reproduce

configure DynamoDB/ API /. AUTH with cognate group access. define a auth rule. with update but without delete permission tries to. update a item

Screenshots

No response

Platforms

Flutter Version

3.22.2

Amplify Flutter Version

2.2.0

Deployment Method

Amplify CLI

Schema

type Item @model 
@auth(rules: [
  { allow: groups, groups: ["Admin"], operations: [create, update, read, delete]  }
  { allow: groups, groups: ["Api","Operative"], operations: [create, update, read, delete]  }
  { allow: groups, groups: ["Guest"], operations: [read]  }
  ])
 {
  tenantId: ID! @primaryKey(sortKeyFields: ["id"])  # customized foreign key for parent primary key
  #tenantId: ID! @primaryKey(sortKeyFields: ["id"])

  locationId: ID! @index(sortKeyFields: ["ck"])
  location: String!
  #location: String! @index(sortKeyFields: ["ck"])  

  id: ID!  
  group: String
  groupId: String
  parcel: String
  parcelId: String
  cattleLot: String
  ck: String!
  ckt: String

  aid: String
  altaid: String
  alias: String
  name: String
  description: String

  admissionDate: AWSDate

  lastOwner: String
  cost: Float

  market: AWSDate
  purchase: Float
  retag: String
  letag: String
  eid: String
  events: [Event]
  production: [Production]
  weights: [Weight]
  images: [S3Object]
  documents: [S3Object]

  type: AnimalType!
  gender: Gender!
  breed: String
  color: String
  status: ItemStatus!
  sale: Float

}

type S3Object {
  name: String
  date: AWSDateTime!
  bucket: String!
  region: String!
  key: String
  localPath: String
  ownerId: String
  ownerName: String
}
Equartey commented 3 months ago

Hi @jamontesg, your update function looks good to me. Do you see this behavior on iOS too?

jamontesg commented 3 months ago

Thanks @Equartey IOS --> ok Android --> error

(test done in emulators) Please tell me if you need more info

jamontesg commented 2 months ago

Hi @Equartey, any news about this issue ?

Equartey commented 2 months ago

Hi @jamontesg, no updates yet. Still need to reproduce the error. We will provide an update from our investigation we possible.

Equartey commented 2 months ago

Hi @jamontesg, small update I was able to reproduce the issue, and believe this to be a bug. Will be working next finding the root cause and solution. Updates to follow.

jamontesg commented 2 months ago

thanks @Equartey , tell me if you need more info from my side.

khatruong2009 commented 1 month ago

@jamontesg we will let you know if there is any information you need, thanks.

jamontesg commented 1 month ago

thanks @khatruong2009

NikaHsn commented 1 month ago

@jamontesg we are working with the Amplify Android team to investigate this issue and will provide you update as we have them. thanks for your patience.

Equartey commented 1 month ago

Hi @jamontesg, sorry for the delay.

I investigated this with both the Amplify Swift and Android teams, and we have determined that the observed error is expect. Update mutations within DataStore require the delete permission. Which is due to our libraries including null in the request variables for all fields on a model not explicitly specified with a value. This is already the case in native Android and Swift DataStore.

To explain what was seen here, Android was working correctly by returning the error. The observation that Swift was working was the result of a bug and will be corrected to mirror behavior observed on Android.

I have an open PR https://github.com/aws-amplify/amplify-flutter/pull/5370 to address this. I will notify you here when its available.

Again, apologies for the delay, please let us know if you have any additional questions.

jamontesg commented 1 month ago

Thanks @Equartey , if. Android is working properly. For what is update permission ? I think that update permissions is useless.

Equartey commented 1 month ago

Hi @jamontesg, while using DataStore I understand that conclusion. Unfortunately, its currently a technical requirement when using DataStore.

If you want to use the update permission how you were initially thinking, I recommend using the API category escape hatch to create your own GraphQL requests. The generated requests by the library make assumptions about what how to handle null values.

jamontesg commented 1 month ago

Ok @Equartey, thanks for your time.

Jordan-Nelson commented 1 month ago

Closing this issue out as it was released in v2.4.1

github-actions[bot] commented 1 month ago

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.