Closed dorontal closed 3 years ago
I was made aware that there is a work-around for this issue, which is to not use the automatically generated Angular API service, but use GraphQL / AppSync directly, and do something like this:
// call the mutation directly via graphql
const createPrivateTrack = await API.graphql({
...
});
but this does not solve the issue posted here, which is with the Angular API service, not with AppSync. Also I have not tried this. Maybe it also produces a 401 error? I am adding this comment, because it's a workaround that may help others who have had the same issue, so that they can try to proceed with this proposed temporary solution. Instead, I am interested in using the automatically generated Angular API service, interested in calling the mutation via the provided service, which seems to have a bug in it - the one described above.
@dorontal were you able to fix this?
@Johnniexson we did not try to fix this because it seems like a serious and deep bug that the experts at Amazon would be able to fix much more quickly than us, also because there is a workaround (using API.graphql
directly, see comment above). Instead, we've shifted attention to work on other parts of the project until this is fixed.
@dorontal Okay, but how do u import queries.createTodo in your component?
Because when i run amplify codegen the files created in the graphql folder are mutations.graphql, queries.graphql, subscriptions.graphql and schema.json
From these files there are no exported data that i can import in my components and i can't be writings the statements for each queries from scratch if I'm to use API.graphql directly
Any help on this? You might want to look at this for what i actually meant. https://github.com/aws-amplify/amplify-js/discussions/5805#discussion-3656
@Johnniexson I do not understand your last question very well. The GraphQL code I post in a comment above which comes from the graphql folder is just the workaround solution, not the one we are after. In this issue, I am not referring to the code that gets created in the graphql folder at all, it is shown only to point other people who have that issue that there is a workaround (we haven't tried the workaround, by the way, so we can't say for sure that it works). Instead, in this issue I am referring to the Angular service code that gets generated in a Typescript code file. By the way, today we upgraded to Angular 9 with the Ivy renderer and all new aws-amplify
packages in package.json
(that's "@aws-amplify/api": "^3.1.10"
and "aws-amplify": "^3.0.11"
, which are the only two AWS/amplify packages we use -- and the exact same bug is still exactly the same. When you use the mutation from the generated service, the mutation returns a 401 error, even though the user authorized to make that mutation is 100% logged in. That's because the wrong Authorization header token is sent with the request. That's probably related to the fact that there are multiple authorizations set-up here: Cognito and IAM together. Any help on this would be greatly appreciated.
@dorontal what i meant is that i can't import the generated statements for mutation from the graphql folder(the file generated have .graphql file extension and not .ts like the API.service.ts) to my component in other to use API.graphql directly (the part where one will specify in query: mutation.**).
Are u on the amplify discord channel? I will be glad if you can reach me via johnniexson#3220
so i could explain the issue /what i mean better.. 🙏
Woohoo!! I found a super simple workaround that fixes the issue reported here, even better than using API.graphql
(the API.graphql
workaround would have required ignoring the auto-generated angular service code and rewriting that service with calls to API.graphql
each of which specifies the auth mode - it would have worked but it would have taken numerous new lines of code. The following workaround is just one line of code).
The workaround is based on this issue and comment https://github.com/aws-amplify/amplify-cli/issues/1576#issuecomment-665338424 -- thank you @kwhitejr and @dabit3 !!
To work around this issue, I just added one line of code above the line that caused trouble. Added:
Amplify.configure({
aws_appsync_authenticationType: 'AMAZON_COGNITO_USER_POOLS'
});
before the call to
this.awsAPI.CreatePrivateTrack({ ...
Done! All works as expected now.
I can reproduce. After some investigations:
Looks like aws_appsync_authenticationType
is being used on line 122 here to determine the type of auth headers to set.
@dorontal Since AWS_IAM
is used as the default aws_appsync_authenticationType
, and PrivateTrack
doesn't have iam @auth
rules, isn't 401 working as intended?
As you commented, setting aws_appsync_authenticationType
to 'AMAZON_COGNITO_USER_POOLS'
works as designed.
Adding the iam @auth
as follows (as an example):
type PrivateTrack
@model
@auth(rules: [
{ allow: owner },
{ allow: private, provider: iam, operations: [create, read, update] }
])
{
id: ID!
path: String!
}
allows both auth types to call this.awsAPI.CreatePrivateTrack
successfully.
Thank you @wei ! As Wei mentions, that is the expected behavior. If you have further questions, please open a discussion or join our Discord (discord.gg/amplify) !
This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.
Looking for a help forum? We recommend joining the Amplify Community Discord server *-help
channels or Discussions for those types of questions.
Describe the bug Getting a 401 error when using a type with
@auth { allow: owner }
and trying to create a new record for that type. Here is the entire schema that produced this error (the relevant type to look at istype PrivateTrack
as the error is caused when calling the generated angular service functionCreatePrivateTrack
):With this schema, I successfully use the
Auth
service to create a user, to send a code for account verification, to verify the account and finally, to log a user in (via email + password login). But then, while the user is logged-in, here is the function call of the generated Angular API service that returns a 401 (Unauthorized) error response:To Reproduce Steps to reproduce the behavior:
amplify add api
- use IAM as the default authorization mode, but add a COGNITO authorization mode as the 2nd auth mode (NOTE: I get a different error when reversing this order, but it is also an error that shows that the amplify service cannot handle more than one auth mode)CreatePrivateTrack
mutationExpected behavior As soon as the 401 error from
CreatePrivateTrack
happens, I checked the request headers in the network tab of dev-tools of the browser. I expected the request headers to have the typical authorization endpoint parameters that get passed, but it does not have them. Instead, it seems to send a sigV4 signing, which is not expected. Here are those headers that show up with the request that got the 401 error response:What is Configured?
aws-exports
file:[ NOTE: Yes, at some point I did try to use use AMAZON_COGNITO_USER_POOLS as the primary (first configured) auth_mode - but then I got a similar-but-reverse error: none of my public (IAM) stuff in the schema was working. Focusing here on just that one use-case of configuring IAM as the primary auth mode and adding COGNITO as the 2nd auth mode, which makes more sense anyway because most of that schema use is public (IAM). ]
Smartphone (please complete the following information):
Not a smartphone - running in Chromium browser on desktop with the following version information
Version 80.0.3987.162 (Developer Build) built on Debian 10.3, running on Debian 10.3 (64-bit)