search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.43k stars 2.13k forks source link

Amplify - Existing Users In Pool Cannot Authenticate with New REST API (new users can) #11197

Closed clintagossett closed 1 year ago

clintagossett commented 1 year ago

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

REST API

Amplify Categories

auth, function, api

Environment information

``` System: OS: macOS 12.3.1 CPU: (24) x64 12th Gen Intel(R) Core(TM) i9-12900KF Memory: 19.57 GB / 64.00 GB Shell: 5.8 - /bin/zsh Binaries: Node: 18.15.0 - /usr/local/bin/node npm: 9.6.2 - /usr/local/bin/npm Browsers: Chrome: 111.0.5563.146 Safari: 15.4 npmPackages: @aws-amplify/ui-react: ^4.4.3 => 4.5.1 @aws-amplify/ui-react-internal: undefined () @testing-library/jest-dom: ^5.16.5 => 5.16.5 @testing-library/react: ^13.4.0 => 13.4.0 @testing-library/user-event: ^13.5.0 => 13.5.0 aws-amplify: ^5.0.22 => 5.0.24 react: ^18.2.0 => 18.2.0 react-dom: ^18.2.0 => 18.2.0 react-scripts: 5.0.1 => 5.0.1 web-vitals: ^2.1.4 => 2.1.4 npmGlobalPackages: @aws-amplify/cli: 11.0.3 corepack: 0.15.3 create-next-app: 13.2.4 create-react-app: 5.0.1 firebase-tools: 11.24.0 n: 9.0.1 npm-check-updates: 16.7.10 npm: 9.6.2 ```

Describe the bug

Discussed with Chris on Discord Office Hours

We recently introduced a new REST api into our amplify application using

 amplify add api
Restrict API Access? Y
Auth/Guest Users: Authenticated users only
* create
* read
* update
* delete

When I attempt to access the API with a user who registered before the API was introduced, they get an "Error: Request failed with status code 403" response.

When I create a new user, they get a 200 success response.

If I remove "Restrict API Access" everyone can use the API.

How can I resolved this issue for my existing users?

REQUEST HEADERS FOR (PRE-API USER): 403 RESPONSE 

:authority: ek9jyq7ach.execute-api.us-east-1.amazonaws.com
:method: POST
:path: /dev/chatresponse
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
authorization: AWS4-HMAC-SHA256 
Credential=ASIAWFJFXXXXXXXX/20230406/us-east-1/execute-api/aws4_request, 
SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=08fbd07aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX03af1a2
content-length: 122
content-type: application/json; charset=UTF-8
origin: https://dev.d2zrp6oqadate7.amplifyapp.com
referer: https://dev.d2zrp6oqadate7.amplifyapp.com/
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
x-amz-date: 20230406T174914Z
x-amz-security-token: {LONG TOKEN}

REQUEST HEADERS FOR (POST-API USER): 200 RESPONSE

:authority: ek9jyq7ach.execute-api.us-east-1.amazonaws.com
:method: POST
:path: /dev/chatresponse
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
authorization: AWS4-HMAC-SHA256 
Credential=ASIAWFJFXXXXXXXXX/20230406/us-east-1/execute-api/aws4_request, 
SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=5094b4cc1ef777934XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX104d7
content-length: 122
content-type: application/json; charset=UTF-8
origin: https://dev.d2zrp6oqadate7.amplifyapp.com
referer: https://dev.d2zrp6oqadate7.amplifyapp.com/
sec-ch-ua: "Google Chrome";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
x-amz-date: 20230406T174757Z
x-amz-security-token: {LONG TOKEN}

Expected behavior

I expect all users to be able to authenticate with the request.

Reproduction steps

  1. Deploy Amplify environment without REST API.
  2. Sign up a user (User 1)
  3. Deploy Amplify REST API with authentication through the CLI
  4. Attempt to access API after logging in with User 1 (Result: 403)
  5. Sign up new user (User 2)
  6. Attempt to access API after logging in with User 2 (Result: 200)

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js


const awsmobile = {
    "aws_project_region": "us-east-1",
    "aws_appsync_graphqlEndpoint": "https://yztd65rys5ea3n7jvspbq2dq64.appsync-api.us-east-1.amazonaws.com/graphql",
    "aws_appsync_region": "us-east-1",
    "aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS",
    "aws_appsync_apiKey": "da2-{KEY INFO}",
    "aws_cloud_logic_custom": [
        {
            "name": "apiopenai",
            "endpoint": "https://ek9jyq7ach.execute-api.us-east-1.amazonaws.com/dev",
            "region": "us-east-1"
        }
    ],
    "aws_cognito_identity_pool_id": "us-east-1:4f33cad7-080e-440f-9172-888fbff05cbd",
    "aws_cognito_region": "us-east-1",
    "aws_user_pools_id": "us-east-1_Gki0mhtqe",
    "aws_user_pools_web_client_id": "491eoafb4gm8sbi7nagclhu54u",
    "oauth": {
        "domain": "7sh5cmtec506-dev.auth.us-east-1.amazoncognito.com",
        "scope": [
            "phone",
            "email",
            "openid",
            "profile",
            "aws.cognito.signin.user.admin"
        ],
        "redirectSignIn": "https://dev.d2zrp6oqadate7.amplifyapp.com/,https://staging.d2zrp6oqadate7.amplifyapp.com/,https://localhost:3000/",
        "redirectSignOut": "https://dev.d2zrp6oqadate7.amplifyapp.com/,https://staging.d2zrp6oqadate7.amplifyapp.com/,https://localhost:3000/",
        "responseType": "code"
    },
    "federationTarget": "COGNITO_USER_POOLS",
    "aws_cognito_username_attributes": [
        "EMAIL"
    ],
    "aws_cognito_social_providers": [
        "GOOGLE"
    ],
    "aws_cognito_signup_attributes": [
        "EMAIL",
        "NAME"
    ],
    "aws_cognito_mfa_configuration": "OFF",
    "aws_cognito_mfa_types": [
        "SMS"
    ],
    "aws_cognito_password_protection_settings": {
        "passwordPolicyMinLength": 8,
        "passwordPolicyCharacters": [
            "REQUIRES_LOWERCASE",
            "REQUIRES_NUMBERS",
            "REQUIRES_SYMBOLS",
            "REQUIRES_UPPERCASE"
        ]
    },
    "aws_cognito_verification_mechanisms": [
        "EMAIL"
    ]
};

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

clintagossett commented 1 year ago

@chrisbonifacio , I've been doing some more testing and realised there was a difference between "User 1" and "User 2".

User 1 was assigned a group.
User 2 had no groups assigned.

When I removed all groups from User 1, authentication worked.

This behavior is contrary to what's expected as "authenticated users" should include all users assigned to groups. Let me know if I should resubmit to another channel.

chrisbonifacio commented 1 year ago

Hi @clintagossett , there seems to be a distinction between "authenticated" user and "user pool group" users in our documentation.

Amplify CLI allows you to restrict REST API access to

See a description of these user types below

User type Description
Authenticated user User needs to sign in to use the REST API
Guest user User doesn't need to sign in to use the REST API
User Pool Group User needs to sign in and belong to the User Pool Group to use the REST API

When you try updating the REST API via the Amplify CLI, you should three options when prompted to restrict access:

Screenshot 2023-04-07 at 12 27 20 PM

Here you can choose Both, and then you can grant access and permissions to both authenticated users and individual groups.

Let me know if this helps!

clintagossett commented 1 year ago

Hi @chrisbonifacio , yes, that works. I was confused as I thought "Authenticated user" would include those users who are included in a group. Apparently this is not the case. We can close this. Thanks so much for your attention here.

YazidHamdi commented 6 months ago

Hi @clintagossett , there seems to be a distinction between "authenticated" user and "user pool group" users in our documentation.

Amplify CLI allows you to restrict REST API access to

  • Only authenticated users; or
  • Authenticated and Guest users
  • User Pool Groups

See a description of these user types below

User type Description Authenticated user User needs to sign in to use the REST API Guest user User doesn't need to sign in to use the REST API User Pool Group User needs to sign in and belong to the User Pool Group to use the REST API When you try updating the REST API via the Amplify CLI, you should three options when prompted to restrict access:

Screenshot 2023-04-07 at 12 27 20 PM

Here you can choose Both, and then you can grant access and permissions to both authenticated users and individual groups.

Let me know if this helps!

I am encountering a peculiar case where I don't get offered this option (groups or both). Here's what I get:

image

For context: the user pool I am using is one that I imported not one generated by the cli. Does that explain this behavior? In all other aspects it's a setup similar to the one described by the OP.