DataStore - Sync error - UnauthorizedException

rpostulart commented 4 years ago

I receive this error: DataStore - Sync error – "subscription failed Connection failed: {\"errors\":[{\"errorType\":\"UnauthorizedException\",\"message\":\"Permission denied\"}]}"

While I run this code:

Auth.currentCredentials() .then(d => console.log("data: ", d)) .catch(e => console.log("error: ", e));

before

this.init = DataStore.observe(Quiz).subscribe();

with this schema:

type Quiz
  @model
  @auth(
    rules: [
      { allow: public, provider: iam, operations: [read] }
      { allow: owner }
    ]
  ) {
  id: ID!
  title: String!
  seconds: Int!
  currentQuestion: String
  questionOrder: String
  started: Boolean
  questionTime: Int
  view: Int
  owner: String!
}

type Questions
  @model
  @auth(
    rules: [
      { allow: public, provider: iam, operations: [read] }
      { allow: owner }
    ]
  ) {
  id: ID!
  image: String
  youtube: String
  question: String!
  answerOne: String
  answerOneCorrect: Boolean
  answerTwo: String
  answerTwoCorrect: Boolean
  answerThree: String
  answerThreeCorrect: Boolean
  answerFour: String
  answerFourCorrect: Boolean
  quizID: String!
  order: Int
  public: Boolean
  fromLibrary: Boolean
  category: String
}
type QuestionsDB
  @model
  @auth(
    rules: [
      { allow: public, provider: iam, operations: [read] }
      { allow: owner }
    ]
  ) {
  id: ID!
  image: String
  youtube: String
  question: String!
  answerOne: String
  answerOneCorrect: Boolean
  answerTwo: String
  answerTwoCorrect: Boolean
  answerThree: String
  answerThreeCorrect: Boolean
  answerFour: String
  answerFourCorrect: Boolean
  relatedQuestion: String!
  public: Boolean
  category: String
  language: String
}

type Subscribers @model @auth(rules: [{ allow: public, provider: iam }]) {
  id: ID!
  type: String!
  score: Int!
  quizID: String!
  name: String!
}

type Responses @model @auth(rules: [{ allow: public, provider: iam }]) {
  id: ID!
  quiz: String!
  subscriber: String!
  question: String!
}
type Languages
  @model
  @auth(rules: [{ allow: public, provider: iam }])
  @key(name: "ByCode", fields: ["type", "code"], queryField: "getLangByCode") {
  id: ID!
  type: String!
  code: String!
}

iartemiev commented 4 years ago

Hey @rpostulart, please share your aws-exports.js file with any sensitive information redacted

rpostulart commented 4 years ago

const awsmobile = {
    "aws_project_region": "eu-west-1",
    "aws_appsync_graphqlEndpoint": "https://******.appsync-api.eu-west-1.amazonaws.com/graphql",
    "aws_appsync_region": "eu-west-1",
    "aws_appsync_authenticationType": "AWS_IAM",
    "aws_cognito_identity_pool_id": "eu-west-1:*****",
    "aws_cognito_region": "eu-west-1",
    "aws_user_pools_id": "eu-west-1_*****",
    "aws_user_pools_web_client_id": "********",
    "oauth": {},
    "predictions": {
        "interpret": {
            "interpretText": {
                "region": "eu-west-1",
                "proxy": false,
                "defaults": {
                    "type": "LANGUAGE"
                }
            }
        }
    }
};

export default awsmobile;

iartemiev commented 4 years ago

What gets logged to the console from the Auth.currentCredentials() call you're making?

Are you seeing the error when you're authenticated as well as when unauthenticated?

When configuring the API authorization types via the CLI did you use all default settings or did you make customizations either via the CLI or via the AWS Console later?

Lastly, which front end framework are you using and is this happening in the dev or production build?

rpostulart commented 4 years ago

This is the complete repo (with a working schema, so not the above one): https://github.com/alowa-apps/kwizz

I made customizations because I needed Cognito AND IAM auth.

The framework is React and it is happening locally and on the cloud url: https://test.d1qdenhzp003kw.amplifyapp.com/ if your check the console you will see the error.

iartemiev commented 4 years ago

Thank you for providing the source code, that's a huge help!

My default browser is Firefox and I was unable to reproduce the issue there, but after trying your code in Chrome and Safari, I was finally able to see the error.

Will be digging into it further and will keep you posted on further findings/solutions.

iartemiev commented 4 years ago

Scratch that. It wasn't a browser issue. I just hadn't enabled unauthenticated access on my Identity Pool. Seeing it across browsers now.

rpostulart commented 4 years ago

Ok, let me know where I can help

rpostulart commented 4 years ago

hey @iartemiev where you able to identify the issue?

iartemiev commented 4 years ago

It seems that it might be an issue with how we're handling combinations of auth modes on the CLI. Will transfer it over, so that their team can take a look.

iartemiev commented 4 years ago

Transferring this over per my conversation with @edwardfoyle.

I was able to reproduce this issue using the following simplified schema (and explicitly turning off subscription authorization on the model).

When I try to subscribe to changes on this model with DataStore as an unauthed user, I get the error: "DataStore - Sync error subscription failed Connection failed: {"errors":{"errorType":"UnauthorizedException","message":"Permission denied”}}"

Unauthed Identities are enabled on the Identity Pool
API Auth is configured with IAM and User Pools (IAM is default)
Neither the authed nor the unauthed IAM roles have any explicit permissions for subscriptions, but I’m able to subscribe successfully with the authed role, e.g. via the AppSync console.

Here's the schema:

type Quiz
  @model(subscriptions: { level: public })
  @auth(
    rules: [
      { allow: owner },
      { allow: public, provider: iam, operations: [read] }
    ]
  ) {
  id: ID!
  title: String!
  seconds: Int!
  currentQuestion: String
  questionOrder: String
  started: Boolean
  questionTime: Int
  view: Int
  owner: String!
}

App.js I'm using to reproduce the error:

import React from 'react';
import Amplify from 'aws-amplify';
import { DataStore } from '@aws-amplify/datastore';
import aws_exports from './aws-exports';
import { Quiz } from './models';

Amplify.configure(aws_exports);

DataStore.observe(Quiz).subscribe((msg) => {
  console.log(msg.model, msg.opType, msg.element);
});

const App = () => <></>;

export default App;

I can also reproduce the UnauthorizedException error by attempting to subscribe without using DataStore:

API.graphql(
  graphqlOperation(subscriptions.onCreateQuiz)
).subscribe({
  next: (quizData) => console.log(quizData)
});

Here's the generated IAM policy (identical for authed and unauthed roles):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "appsync:GraphQL"
            ],
            "Resource": [
                "arn:aws:appsync:us-east-1:xxxxxapis/xxxxxxxxxx/types/Quiz/*",
                "arn:aws:appsync:us-east-1:xxxxx:apis/xxxxxxxxxx/types/Query/fields/getQuiz",
                "arn:aws:appsync:us-east-1:xxxxx:apis/xxxxxxxxxx/types/Query/fields/listQuizs",
                "arn:aws:appsync:us-east-1:xxxxx:apis/xxxxxxxxxxtypes/Query/fields/syncQuizzes"
            ],
            "Effect": "Allow"
        }
    ]
}

Dependency versions:

@aws-amplify/cli@4.18.1
@aws-amplify/datastore@2.0.10
aws-amplify@3.0.10

rpostulart commented 4 years ago

Any ideas what it can be? Can I help in any way?

renebrandel commented 4 years ago

@SwaySway - can you provide details if your PR is addressing this issue?

SwaySway commented 4 years ago

PR addresses this issue by creating the necessary policies for subscriptions when the auth rule read is applied. Closing this issue as the fix has been addressed and released into version 4.21.1.

rpostulart commented 3 years ago

With this schema:

type User
  @model
  @key(fields: ["id", "horecaID"])
  @key(name: "byHoreca", fields: ["horecaID"])
  @auth(
    rules: [
      { allow: groups, groups: ["owner", "supervisor"] }
      { allow: owner, ownerField: "owner", identityClaim: "custom:horeca" }
    ]
  ) {
  id: ID!
  horecaID: ID!
  owner: ID!
  name: String!
  lastDateLogin: String
  group: Group
}

I face this issue again. This time it is on react native with an authenticated users. This is my package.json:

{
  "main": "node_modules/expo/AppEntry.js",
  "scripts": {
    "start": "expo start",
    "android": "expo start --android",
    "ios": "expo start --ios",
    "web": "expo start --web",
    "eject": "expo eject",
    "amplify-modelgen": "node amplify/scripts/amplify-modelgen.js",
    "amplify-push": "node amplify/scripts/amplify-push.js"
  },
  "dependencies": {
    "@aws-amplify/analytics": "^3.3.6",
    "@aws-amplify/api": "^3.2.6",
    "@aws-amplify/auth": "^3.4.6",
    "@aws-amplify/core": "^3.6.0",
    "@aws-amplify/datastore": "^2.6.0",
    "@expo/vector-icons": "^10.0.0",
    "@react-native-community/masked-view": "0.1.10",
    "@react-native-community/netinfo": "5.9.6",
    "@react-navigation/bottom-tabs": "^5.6.1",
    "@react-navigation/native": "^5.7.5",
    "@react-navigation/stack": "^5.6.2",
    "aws-amplify-react": "^4.2.7",
    "expo": "~39.0.2",
    "expo-constants": "~9.2.0",
    "expo-status-bar": "~1.0.2",
    "lottie-react-native": "~2.6.1",
    "react": "16.13.1",
    "react-dom": "16.13.1",
    "react-native": "https://github.com/expo/react-native/archive/sdk-39.0.2.tar.gz",
    "react-native-error-boundary": "^1.1.3",
    "react-native-gesture-handler": "~1.7.0",
    "react-native-reanimated": "~1.13.0",
    "react-native-safe-area-context": "3.1.4",
    "react-native-screens": "~2.10.1",
    "react-native-tiny-toast": "^1.0.7",
    "react-native-web": "~0.13.12"
  },
  "devDependencies": {
    "@types/react": "~16.9.35",
    "@types/react-dom": "~16.9.8",
    "@types/react-native": "~0.63.2",
    "ini": "^1.3.5",
    "inquirer": "^6.5.1",
    "typescript": "~3.9.5"
  },
  "private": true
}

rpostulart commented 3 years ago

@renebrandel @SwaySway: can you re-open this issue?

ltaljaard commented 3 years ago

We are getting the same problem with our React Native + Expo app.

rpostulart commented 3 years ago

@ltaljaard same versions like I have used?

ltaljaard commented 3 years ago

This is the error we are getting:

[Unhandled promise rejection: Error: UnauthorizedException]

node_modules/@aws-amplify/pubsub/lib-esm/Providers/AWSAppSyncRealTimeProvider.js:714:29 in __generator$argument_1
http://127.0.0.1:19001/node_modules/expo/AppEntry.bundle?platform=ios&dev=true&minify=false&hot=false:133744:23 in step
node_modules/tslib/tslib.js:122:34 in
node_modules/tslib/tslib.js:113:43 in rejected
... 7 more stack frames from framework internals

package.json:

{ "main": "node_modules/expo/AppEntry.js", "scripts": { "start": "expo start", "android": "expo start --android", "ios": "expo start --ios", "web": "expo start --web", "eject": "expo eject", "amplify-modelgen": "node amplify/scripts/amplify-modelgen.js", "amplify-push": "node amplify/scripts/amplify-push.js" }, "dependencies": { "@aws-amplify/core": "^3.4.0", "@aws-amplify/datastore": "^2.2.4", "@expo/vector-icons": "^10.0.0", "@react-native-community/masked-view": "0.1.6", "@react-native-community/netinfo": "5.5.1", "@react-navigation/drawer": "^5.8.2", "@react-navigation/material-bottom-tabs": "^5.2.10", "@react-navigation/native": "^5.5.1", "@react-navigation/stack": "^5.5.1", "aws-amplify": "^3.0.18", "aws-amplify-react-native": "^4.2.1", "expo": "~37.0.3", "moment": "^2.27.0", "react": "~16.9.0", "react-dom": "~16.9.0", "react-native": "https://github.com/expo/react-native/archive/sdk-37.0.1.tar.gz", "react-native-action-button": "^2.8.5", "react-native-elements": "^2.0.2", "react-native-gesture-handler": "~1.6.0", "react-native-paper": "^3.10.1", "react-native-reanimated": "~1.7.0", "react-native-safe-area-context": "0.7.3", "react-native-screens": "~2.2.0", "react-native-web": "~0.11.7" }, "devDependencies": { "@babel/core": "^7.8.6", "babel-preset-expo": "~8.1.0", "ini": "^1.3.5", "inquirer": "^6.5.1" }, "private": true }

AWS-exports.js:

const awsmobile = { "aws_project_region": "eu-west-1", "aws_appsync_graphqlEndpoint": "https://***amazonaws.com/graphql", "aws_appsync_region": "eu-west-1", "aws_appsync_authenticationType": "API_KEY", "aws_appsync_apiKey": "", "aws_cognito_identity_pool_id": "eu-west-", "aws_cognito_region": "eu-west-1", "aws_user_pools_id": "", "aws_user_pools_web_client_id": "", "oauth": {} }; export default awsmobile;

SwaySway commented 3 years ago

@rpostulart Based on the provided schema when running datastore operations it will attempt to run authorization with owner auth. When the you get the error that they are unauthorized is it because the current signed in user is not the owner but they exist in the group? You can view this by enabling the logger, logger docs: https://docs.amplify.aws/lib/utilities/logger/q/platform/js

@ltaljaard Is your schema similar to that of @rpostulart ? Could you provide your schema if it's different as well as the logs?

ltaljaard commented 3 years ago

@SwaySway my schema looks like this and a while back it was working fine without this issue.

The link to the logger docs doesn't want to open, could you check that it's the right one?

type VAddress @auth(rules: [{ allow: public }])
    @model
{ id: ID!
  line1: String
  line2: String
  line3: String
  line4: String
}

kurtroberts commented 3 years ago

I'm seeing the same behavior. I'm using iam auth to populate read-only, global content from a content management system. Then using cognito to authenticate by group to grant access to "Everyone" (which is the group users are assigned to on sign up using a lambda). Here's an excerpt from my schema:

type Trail @model  @auth(
    rules: [
      { allow: private, provider: iam, operations: [read, update, create, delete] },
      { allow: groups, groups: ["Everyone"], operations: [read] }
    ]
  ) {
    id: ID!
    Name: String!
    strapiId: Int!
    fallacyId: Int!
    Order: Int!
    swatchId: Int!
}
type Screen @model  @auth(
    rules: [
      { allow: private, provider: iam, operations: [read, update, create, delete] }
      { allow: groups, groups: ["Everyone"], operations: [read] }
    ]
  ) {
    id: ID!
    strapiId: Int!
    Title: String!
    Content: String!
    ButtonText: String!
    ScoreIndicator: Boolean
    trailId: Int!
    Order: Int!
    OverrideCartoonUrl: String
    QuizId: Int
    uncleId: Int
    PointValue: Int
}

type Category @model @auth(
    rules: [
      { allow: private, provider: iam, operations: [read, update, create, delete] }
      { allow: groups, groups: ["Everyone"], operations: [read] }
    ]
  ) {
    id: ID!
    strapiId: Int!
    Name: String!
}

type Swatch @model  @auth(
    rules: [
      { allow: private, provider: iam, operations: [read, update, create, delete] }
      { allow: groups, groups: ["Everyone"], operations: [read] }
    ]
  ) {
    id: ID!
    strapiId: Int!
    Name: String!
    Solid: String!
    GradientTop: String!
    GradientBottom: String!
}

When I turn logging up to DEBUG as described in the link above, it's obviously a massive amount of output, as I've got about a dozen object types in datastore, auth, pinpoint, etc. But here's the full stanza related to the unauthorized exception:

ConsoleLogger.js?721f:97 [DEBUG] 58:58.843 AWSAppSyncRealTimeProvider - subscription message from AWS AppSyncRealTime: {"type":"connection_ack","payload":{"connectionTimeoutMs":300000}}
3ConsoleLogger.js?721f:97 [DEBUG] 58:58.843 AWSAppSyncRealTimeProvider - Notifying connection successful
8ConsoleLogger.js?721f:97 [DEBUG] 58:58.844 AWSAppSyncRealTimeProvider - Notifying connection successful
10ConsoleLogger.js?721f:97 [DEBUG] 58:58.845 AWSAppSyncRealTimeProvider - Notifying connection successful
10ConsoleLogger.js?721f:97 [DEBUG] 58:58.846 AWSAppSyncRealTimeProvider - Notifying connection successful
8ConsoleLogger.js?721f:97 [DEBUG] 58:58.847 AWSAppSyncRealTimeProvider - Notifying connection successful
ConsoleLogger.js?721f:97 [DEBUG] 58:58.851 AWSAppSyncRealTimeProvider - subscription message from AWS AppSync RealTime: {"type":"ka"}
ConsoleLogger.js?721f:100 [DEBUG] 58:58.851 AWSAppSyncRealTimeProvider {id: "", observer: null, query: "", variables: {…}}
ConsoleLogger.js?721f:97 [DEBUG] 58:59.20 AWSAppSyncRealTimeProvider - subscription message from AWS AppSync RealTime: {"id":"c0d7e29b-372a-49b1-84bb-ee4a82ae98c2","type":"error","payload":{"errors":[{"errorType":"UnauthorizedException","message":"Permission denied"}]}}
ConsoleLogger.js?721f:100 [DEBUG] 58:59.20 AWSAppSyncRealTimeProvider {id: "c0d7e29b-372a-49b1-84bb-ee4a82ae98c2", observer: SubscriptionObserver, query: "subscription operation {↵  onCreateMultipleChoiceA…  _version↵    _lastChangedAt↵    _deleted↵  }↵}↵", variables: {…}}
ConsoleLogger.js?721f:107 [WARN] 58:59.20 DataStore - subscriptionError Connection failed: {"errors":[{"errorType":"UnauthorizedException","message":"Permission denied"}]}

Startup looks like this:

[HMR] Waiting for update signal from WDS...
client-entry.js?d124:33 [Quasar] Running SPA.
ConsoleLogger.js?721f:107 [DEBUG] 58:56.946 AWSPinpointProvider - endpointId from cache (3) ["ca99f450-0eec-11eb-8989-4d8f94dec68d", "type", "string"]
ConsoleLogger.js?721f:107 [DEBUG] 58:56.949 AWSPinpointProvider - setting endpoint id from the cache ca99f450-0eec-11eb-8989-4d8f94dec68d
ConsoleLogger.js?721f:107 [DEBUG] 58:56.950 Hub - Dispatching to analytics with  {event: "pinpointProvider_configured", data: null}
ConsoleLogger.js?721f:107 [DEBUG] 58:56.950 AnalyticsClass - on hub capsule analytics {event: "pinpointProvider_configured", data: null}
ConsoleLogger.js?721f:107 [DEBUG] 58:56.950 AWSPinpointProvider - _public record {event: {…}, provider: undefined}
ConsoleLogger.js?721f:97 [DEBUG] 58:56.951 Credentials - getting credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:56.951 Credentials - picking up credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:56.951 Credentials - getting new cred promise
ConsoleLogger.js?721f:97 [DEBUG] 58:56.951 Credentials - checking if credentials exists and not expired
ConsoleLogger.js?721f:97 [DEBUG] 58:56.952 Credentials - need to get a new credential or refresh the existing one
ConsoleLogger.js?721f:97 [DEBUG] 58:56.952 AuthClass - Getting current user credentials
ConsoleLogger.js?721f:107 [DEBUG] 58:56.953 AWSPinpointProvider - _public record {event: {…}, provider: "AWSPinpoint"}
ConsoleLogger.js?721f:97 [DEBUG] 58:56.954 Credentials - getting credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:56.954 Credentials - picking up credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:56.954 Credentials - getting old cred promise
ConsoleLogger.js?721f:97 [WARN] 58:56.955 Hub - Cannot perform pattern matching without a message key
ConsoleLogger._log @ ConsoleLogger.js?721f:97
ConsoleLogger.warn @ ConsoleLogger.js?721f:150
HubClass._toListeners @ Hub.js?753e:167
HubClass.dispatch @ Hub.js?753e:109
dispatchAnalyticsEvent @ AWSPinpointProvider.js?9ab4:81
eval @ AWSPinpointProvider.js?9ab4:143
Promise.then (async)
AWSPinpointProvider.configure @ AWSPinpointProvider.js?9ab4:140
eval @ Analytics.js?dd23:119
AnalyticsClass.configure @ Analytics.js?dd23:113
eval @ Amplify.js?c5fb:83
AmplifyClass.configure @ Amplify.js?c5fb:82
eval @ amplify.js?dc26:16
./src/boot/amplify.js @ app.js:1241
__webpack_require__ @ app.js:854
fn @ app.js:151
eval @ client-entry.js?d124:1
./.quasar/client-entry.js @ app.js:1019
__webpack_require__ @ app.js:854
fn @ app.js:151
0 @ app.js:1611
__webpack_require__ @ app.js:854
checkDeferredModules @ app.js:46
webpackJsonpCallback @ app.js:33
(anonymous) @ vendor.js:1
ConsoleLogger.js?721f:97 [DEBUG] 58:56.955 AuthClass - Getting current session
ConsoleLogger.js?721f:107 [DEBUG] 58:56.958 AuthClass - Getting the session from this user: CognitoUser {username: "username", pool: CognitoUserPool, Session: null, client: Client, signInUserSession: CognitoUserSession, …}
ConsoleLogger.js?721f:107 [DEBUG] 58:56.958 AuthClass - Succeed to get the user session CognitoUserSession {idToken: CognitoIdToken, refreshToken: CognitoRefreshToken, accessToken: CognitoAccessToken, clockDrift: 0}
ConsoleLogger.js?721f:107 [DEBUG] 58:56.966 AuthClass - getting session success CognitoUserSession {idToken: CognitoIdToken, refreshToken: CognitoRefreshToken, accessToken: CognitoAccessToken, clockDrift: 0}
ConsoleLogger.js?721f:97 [DEBUG] 58:56.966 Credentials - set credentials from session
vue.runtime.esm.js?5593:8429 Download the Vue Devtools extension for a better development experience:
https://github.com/vuejs/vue-devtools
ConsoleLogger.js?721f:97 [DEBUG] 58:57.436 AuthClass - getting current authenticated user
ConsoleLogger.js?721f:97 [DEBUG] 58:57.438 AuthClass - cannot load federated user from auth storage
ConsoleLogger.js?721f:97 [DEBUG] 58:57.438 AuthClass - get current authenticated userpool user
ConsoleLogger.js?721f:97 [DEBUG] 58:57.439 AuthClass - getting current authenticated user
ConsoleLogger.js?721f:97 [DEBUG] 58:57.470 AuthClass - getting current authenticated user
ConsoleLogger.js?721f:97 [DEBUG] 58:57.484 AuthClass - cannot load federated user from auth storage
ConsoleLogger.js?721f:97 [DEBUG] 58:57.484 AuthClass - get current authenticated userpool user
ConsoleLogger.js?721f:97 [DEBUG] 58:57.485 AuthClass - cannot load federated user from auth storage
ConsoleLogger.js?721f:97 [DEBUG] 58:57.485 AuthClass - get current authenticated userpool user
ConsoleLogger.js?721f:107 [DEBUG] 58:57.490 AWSPinpointProvider - _public record {event: {…}, provider: undefined}
ConsoleLogger.js?721f:97 [DEBUG] 58:57.490 Credentials - getting credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.490 Credentials - picking up credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.490 Credentials - getting old cred promise
ConsoleLogger.js?721f:97 [DEBUG] 58:57.492 DataStore - Starting DataStore
ConsoleLogger.js?721f:97 [DEBUG] 58:57.497 DataStore - Starting Storage
ConsoleLogger.js?721f:107 [DEBUG] 58:57.812 Hub - Dispatching to datastore with  {event: "networkStatus", data: {…}}
ConsoleLogger.js?721f:107 [DEBUG] 58:57.813 Hub - Dispatching to datastore with  {event: "networkStatus", data: {…}}
ConsoleLogger.js?721f:107 [DEBUG] 58:57.813 Hub - Dispatching to datastore with  {event: "networkStatus", data: {…}}
ConsoleLogger.js?721f:97 [DEBUG] 58:57.814 AuthClass - getting current credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.814 Credentials - getting credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.815 Credentials - picking up credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.815 Credentials - getting new cred promise
ConsoleLogger.js?721f:97 [DEBUG] 58:57.815 Credentials - checking if credentials exists and not expired
ConsoleLogger.js?721f:107 [DEBUG] 58:57.816 Credentials - are these credentials expired? {accessKeyId: "redacted", secretAccessKey: "redacted", sessionToken: "redacted", expiration: Thu Oct 15 2020 10:58:57 GMT-0400 (Eastern Daylight Time), identityId: "redacted", …}
ConsoleLogger.js?721f:97 [DEBUG] 58:57.816 Credentials - credentials not changed and not expired, directly return
ConsoleLogger.js?721f:97 [DEBUG] 58:57.819 AuthClass - Getting current session
ConsoleLogger.js?721f:107 [DEBUG] 58:57.825 DataStore - after createFromExisting - predicate undefined
ConsoleLogger.js?721f:107 [DEBUG] 58:57.825 DataStore - params ready {predicate: undefined, pagination: {…}, modelConstructor: ƒ}
ConsoleLogger.js?721f:107 [DEBUG] 58:57.825 DataStore - after createFromExisting - predicate Proxy {}
ConsoleLogger.js?721f:107 [DEBUG] 58:57.825 DataStore - params ready {predicate: {…}, pagination: {…}, modelConstructor: ƒ}
ConsoleLogger.js?721f:107 [DEBUG] 58:57.826 AuthClass - Getting the session from this user: CognitoUser {username: "username", pool: CognitoUserPool, Session: null, client: Client, signInUserSession: CognitoUserSession, …}
ConsoleLogger.js?721f:107 [DEBUG] 58:57.826 AuthClass - Succeed to get the user session CognitoUserSession {idToken: CognitoIdToken, refreshToken: CognitoRefreshToken, accessToken: CognitoAccessToken, clockDrift: 0}
ConsoleLogger.js?721f:97 [INFO] 58:57.826 Cache - Get item: key is federatedInfo with options undefined
ConsoleLogger.js?721f:107 [DEBUG] 58:57.830 PubSub - subscribe options {provider: Symbol(INTERNAL_AWS_APPSYNC_REALTIME_PUBSUB_PROVIDER), appSyncGraphqlEndpoint: "https://redacted.appsync-api.us-east-1.amazonaws.com/graphql", authenticationType: "AWS_IAM", apiKey: undefined, query: "subscription operation {↵  onCreateTrail {↵    id↵…  _version↵    _lastChangedAt↵    _deleted↵  }↵}↵", …}
ConsoleLogger.js?721f:97 [DEBUG] 58:57.831 Credentials - getting credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.832 Credentials - picking up credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.832 Credentials - getting new cred promise
ConsoleLogger.js?721f:97 [DEBUG] 58:57.832 Credentials - checking if credentials exists and not expired
ConsoleLogger.js?721f:107 [DEBUG] 58:57.833 Credentials - are these credentials expired? {accessKeyId: "redacted", secretAccessKey: "redacted", sessionToken: "redacted", expiration: Thu Oct 15 2020 10:58:57 GMT-0400 (Eastern Daylight Time), identityId: "redacted", …}
ConsoleLogger.js?721f:97 [DEBUG] 58:57.833 Credentials - credentials not changed and not expired, directly return
ConsoleLogger.js?721f:107 [DEBUG] 58:57.835 PubSub - subscribe options {provider: Symbol(INTERNAL_AWS_APPSYNC_REALTIME_PUBSUB_PROVIDER), appSyncGraphqlEndpoint: "https://gxgsvawtsraazp7cl4usjsrwg4.appsync-api.us-east-1.amazonaws.com/graphql", authenticationType: "AWS_IAM", apiKey: undefined, query: "subscription operation {↵  onUpdateTrail {↵    id↵…  _version↵    _lastChangedAt↵    _deleted↵  }↵}↵", …}
ConsoleLogger.js?721f:97 [DEBUG] 58:57.835 Credentials - getting credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.836 Credentials - picking up credentials
ConsoleLogger.js?721f:97 [DEBUG] 58:57.836 Credentials - getting old cred promise

I'm at a loss - it was working, and then suddenly stopped. Stashing changes didn't help, clearing browser history, logging out and back in... nothing helped. I'm on versions: "@aws-amplify/datastore": "^2.5.2", "@aws-amplify/ui-vue": "^0.2.21", "aws-amplify": "^3.3.2", "aws-amplify-vue": "^2.1.2",

and cli version 4.24.3.

SwaySway commented 3 years ago

@kurtroberts I tried to check the authorization on the AppSync Console, and if I am in the group "Everyone" I am able to run operations on AppSync. If I am in the IAM role the same thing is allowed. Sounds like this could potentially be an issue in the DataStore library on how it's signing the requests over to AppSync. Transferring this issue to the JS library for better visibility.

ltaljaard commented 3 years ago

@SwaySway fyi I created a new app and backend and copied the same code over from old app to new app and now i don't get this error anymore. Not sure whether it is a package version thing or something that changed on the cloud/backend side but the latest DataStore does seem to work with the latest cloud formation stuff again.

That said i am only using public for now: @auth(rules: [{ allow: public }])

But even the allow:public gave me this error before i redid the app.

ltaljaard commented 3 years ago

This issue has started up again in my Expo Web app. It happens both from the browser and the mobile app. It does not help to sign out and sign back in once it starts happening. The first few days everything works and syncs fine but then it stops with this UnauthorizedException and the syncing stops working.

I'm using the standard suggested project setup and configuration as per the docs: https://docs.amplify.aws/lib/datastore/getting-started/q/platform/js

My package versions: "@react-native-community/netinfo": "^5.9.7", "aws-amplify": "^3.3.3", "aws-amplify-react-native": "^4.2.7", "expo": "~39.0.2", "react": "16.13.1", "react-native-web": "^0.11.7",

Here is the full log that i get when setting Amplify.Logger.LOG_LEVEL = 'DEBUG': https://github.com/ltaljaard/amplify-datastore-log/blob/main/debug-logger.txt

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 3 years ago

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

shravanjha commented 3 years ago

@rpostulart How did you solve this issue? I have exactly similar scenario.

rpostulart commented 3 years ago

Not sure anymore 😔

github-actions[bot] commented 2 years ago

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

aws-amplify / amplify-js

DataStore - Sync error - UnauthorizedException #6982