search

aws-amplify / amplify-js

A declarative JavaScript library for application development using cloud services.
https://docs.amplify.aws/lib/q/platform/js
Apache License 2.0
9.44k stars 2.13k forks source link

DataStore does not sync if using owner @auth #13769

Open PeterSchoell opened 3 months ago

PeterSchoell commented 3 months ago

Before opening, please confirm:

JavaScript Framework

Vue

Amplify APIs

DataStore

Amplify Version

v6

Amplify Categories

api

Backend

Amplify CLI

Environment information

``` "aws-amplify": "6.5.3", ```

Describe the bug

I have an application that uses AppSync DataStore with a model Tenantand an owneras authorisation method at field level.

When I submit a query via the AWS GUI, everything works as expected.

In the application, however, the sync throws a warning and no data is synchronised at all.

DataStore - User is unauthorised to query syncTenants with auth mode userPool. No data could be returned.

In https://github.com/aws-amplify/amplify-js/issues/6625 switching to Cognito as the authentication method should help - however, this is already set for me.

"aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS",

Expected behavior

All data is also synchronised via the datastore

Reproduction steps

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

"aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS",

Manual configuration

No response

Additional configuration

type Tenant @model  @auth(
      rules: [
        { allow: groups, groups: ["VerifiedUser"], operations: [read] }
        { allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
      ]
    ) 
  {
  id: ID! @primaryKey @auth(
      rules: [
        { allow: groups, groups: ["VerifiedUser"], operations: [read] }
        { allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
        { allow: owner, operations: [create, update, read, delete] }
      ]
    )
  tenantName: String
  tenantPlan: String
  tenantPayment: String
  tenantAddress: AWSJSON @auth(rules: [{ allow: owner, operations: [create, update, read, delete] }])
}

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

chrisbonifacio commented 3 months ago

Hi @PeterSchoell 👋 thanks for raising this issue!

You mentioned that there is owner auth at the field level but it seems that your model level auth only allows users that belong to certain groups to read data from the table. Have you tried adding owner auth to the model level?

type Tenant @model @auth(
  rules: [
    { allow: groups, groups: ["VerifiedUser"], operations: [read] }
    { allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
+ { allow: owner, operations: [create, update, read, delete] } 
  ]
) {
  id: ID! @primaryKey
  tenantName: String
  tenantPlan: String
  tenantPayment: String
  tenantAddress: AWSJSON
  owner: String
}

With an owner auth rule, when records are created a owner field will be populated with the sub::username of the current user. Keep in mind that you can only be authorized to access records either as the owner OR belonging to an authorized group, but not both.

PeterSchoell commented 3 months ago

@chrisbonifacio Thank you for the quick reply.

The variant at model level to add the owner to the authentication works. The owner is always also in one of the two groups. The additional owner specification could restrict the operations (e.g. delete) here.

My case, however, is that only the ownershould read the tenantAddressand no other user/group. As written, this works without problems in the AWS AppSync queries GUI, in the application via the datastore no element from the database is synchronised at all. (DataStore - User is unauthorised to query syncTenants with auth mode userPool. No data could be returned.)