Cannot subscribe to onCreate subscription without [create] operation on multi auth model

[neats-returns]

Before opening, please confirm:

• [x] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

GraphQL API

Amplify Categories

auth, function, api

Environment information

``` System: OS: macOS 11.4 CPU: (8) x64 Apple M1 Memory: 48.86 MB / 16.00 GB Shell: 5.8 - /bin/zsh Binaries: Node: 15.4.0 - /usr/local/bin/node Yarn: 1.22.10 - /usr/local/bin/yarn npm: 7.19.1 - /usr/local/bin/npm Watchman: 2021.06.07.00 - /opt/homebrew/bin/watchman Browsers: Chrome: 92.0.4515.131 Firefox: 90.0.2 Safari: 14.1.1 npmPackages: @babel/core: ~7.9.0 => 7.9.6 (7.15.0, 7.9.0) @expo-google-fonts/lato: ^0.1.0 => 0.1.0 @hookform/resolvers: ^2.5.2 => 2.6.1 @react-native-async-storage/async-storage: ~1.15.0 => 1.15.5 @react-native-community/datetimepicker: 3.5.2 => 3.5.2 @react-native-community/eslint-config: 1.1.0 @react-native-community/eslint-plugin: 1.0.0 @react-native-community/masked-view: 0.1.10 => 0.1.10 @react-native-community/netinfo: 6.0.0 => 6.0.0 @react-navigation/native: ^6.0.0 => 6.0.0 @react-navigation/stack: ^6.0.0 => 6.0.0 @reduxjs/toolkit: ^1.6.1 => 1.6.1 @reduxjs/toolkit-query: 1.0.0 @reduxjs/toolkit-query-react: 1.0.0 @wry/equality: ^0.5.1 => 0.5.1 HelloWorld: 0.0.1 await: ^0.2.6 => 0.2.6 awaity: ^1.0.0 => 1.0.0 aws-amplify: ^4.2.2 => 4.2.2 aws-amplify-react-native: ^5.0.1 => 5.0.3 aws-sdk: ^2.954.0 => 2.954.0 babel-plugin-inline-view-configs: 0.0.5 babel-plugin-module-resolver: ^4.1.0 => 4.1.0 (3.2.0) class-validator: 1.0.0 color: ^3.1.3 => 3.1.3 computed-types: 1.0.0 deepmerge: ^4.2.2 => 4.2.2 (3.3.0, 1.5.2) eslint: ^7.27.0 => 7.30.0 eslint-import-resolver-babel-module: ^5.3.1 => 5.3.1 eslint-plugin-import: ^2.23.4 => 2.23.4 eslint-plugin-prettier: ^3.4.0 => 3.4.0 eslint-plugin-react: ^7.24.0 => 7.24.0 eslint-plugin-react-hooks: ^4.2.0 => 4.2.0 expo: ^42.0.3 => 42.0.3 expo-app-loading: ^1.1.2 => 1.1.2 expo-blur: ~9.0.3 => 9.0.3 expo-constants: ~11.0.1 => 11.0.1 expo-device: ~3.3.0 => 3.3.0 expo-file-system: ~11.1.3 => 11.1.3 expo-font: ~9.2.1 => 9.2.1 expo-haptics: ~10.1.0 => 10.1.0 expo-image-picker: ~10.2.2 => 10.2.2 expo-intent-launcher: ~9.1.0 => 9.1.0 expo-linear-gradient: ~9.2.0 => 9.2.0 expo-linking: ~2.3.1 => 2.3.1 expo-localization: ~10.2.0 => 10.2.0 expo-location: ~12.1.2 => 12.1.2 expo-notifications: ~0.12.3 => 0.12.3 expo-secure-store: ~10.2.0 => 10.2.0 expo-server-sdk: ^3.6.0 => 3.6.0 expo-status-bar: ~1.0.4 => 1.0.4 gql: ^1.1.2 => 1.1.2 graphql-tag: ^2.12.5 => 2.12.5 hermes-inspector-msggen: 1.0.0 i18n-js: ^3.8.0 => 3.8.0 install: ^0.13.0 => 0.13.0 io-ts: 1.0.0 joi: 1.0.0 lottie-react-native: 4.0.2 => 4.0.2 moment: ^2.29.1 => 2.29.1 nope: 1.0.0 prettier: ^2.3.0 => 2.3.2 prop-types: ^15.7.2 => 15.7.2 (15.5.10) react: 16.13.1 => 16.13.1 react-animated: 0.1.0 react-dom: 16.13.1 => 16.13.1 react-hook-form: ^7.7.1 => 7.11.0 react-native: https://github.com/expo/react-native/archive/sdk-42.0.0.tar.gz => 0.63.2 react-native-animatable: ^1.3.3 => 1.3.3 react-native-cached-image: ^1.4.3 => 1.4.3 react-native-codegen: 0.0.2 react-native-gesture-handler: ~1.10.2 => 1.10.3 react-native-get-random-values: ~1.7.0 => 1.7.0 react-native-gifted-chat: ^0.16.3 => 0.16.3 react-native-iphone-x-helper: ^1.3.1 => 1.3.1 react-native-keyboard-aware-scroll-view: ^0.9.4 => 0.9.4 react-native-keyboard-spacer: ^0.4.1 => 0.4.1 react-native-magnus: ^1.0.62 => 1.0.62 react-native-mime-types: ^2.3.0 => 2.3.0 react-native-modal: ^12.0.3 => 12.0.3 react-native-phone-number-input: ^2.1.0 => 2.1.0 react-native-safe-area-context: 3.2.0 => 3.2.0 react-native-screens: ~3.4.0 => 3.4.0 react-native-status-bar-height: ^2.6.0 => 2.6.0 react-native-vector-icons: ^8.1.0 => 8.1.0 react-native-web: ~0.13.12 => 0.13.18 react-redux: ^7.2.4 => 7.2.4 redux: ^4.1.0 => 4.1.0 superstruct: 1.0.0 uuid: ^8.3.2 => 8.3.2 (3.4.0, 3.3.2, 7.0.2, 7.0.3) validate-color: ^2.1.1 => 2.1.1 vest: 1.0.0 yup: ^0.32.9 => 0.32.9 (1.0.0) zod: 1.0.0 npmGlobalPackages: @aws-amplify/cli: 4.51.4 eslint: 7.27.0 expo-cli: 4.7.2 knex: 0.21.17 nodemon: 2.0.7 npm: 7.19.1 react-devtools: 4.10.1 serverless: 2.45.0 ```

Describe the bug

I created a model which is only readable by it's owner, and it's created by a mutation called by a lambda function:

type ChatInvitation
  @model
  @auth(
    rules: [
      { allow: owner, operations: [read] }
      { allow: private, operations: [create, udpate, delete], provider: iam }
    ]
  )
  @key(name: "bySenderId", fields: ["senderId"])
  @key(name: "byInvitedUserId", fields: ["invitedUserId"])
  @aws_iam
  @aws_cognito_user_pools {
  id: ID!
  invitedUserId: ID!
  senderId: ID!
  owner: String!
  sender: User @connection(fields: ["senderId"])
  message: String!
  status: String
}

But when I try to subscribe to the onCreateChatInvitation subscription I'm getting this error :

"Unauthorized","message": "Not Authorized to access onCreateChatInvitation on type Subscription"

This my subscription code:

API.graphql(
    graphqlOperation(onCreateChatInvitation, {
        owner: user.id,
      }),
    ).subscribe({
      next: ({ value }) => console.log("new invitation", value),
      error: (error) => console.warn(error),
    });

Expected behavior

The owner should be able to subscribe to the onCreate subscription event though he don't have the operation [create]

Reproduction steps

1. Add iam auth to your api with amplify update api
2. Copy the model to your schema.graphql file
3. Run a mutation from appSync console to create a record

Code Snippet

// Put your code below this line.

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[chrisbonifacio]

Hey @neats-returns 👋 thanks for raising this. I'm not sure I understand the issue here. How would a user be the owner of a record if they weren't allowed to create it?

[neats-returns]

@neats-returns How would a user be the owner of a record if they weren't allowed to create it?

Hi ! Let's put it another way, I want to create a record on the table ChatInvitation from a lambda function through AppSync API. But I just want one person to be able to subscribe the onCreateChatInvitation subscription, and that's why I'm using the owner field.

I could also do {allow: owner, ownerField: "invitedUserId", operations: [read]}

The problem is that when I try to subscribe to the onCreateChatInvitation subscription I get this error : "Unauthorized","message": "Not Authorized to access onCreateChatInvitation on type Subscription"

[chrisbonifacio]

Ah okay, I missed the part where you were performing the mutation in the lambda function. Thank you! I will try to reproduce this issue and see if I can either figure out how to do it properly or if this a bug that needs to be addressed.

To further my understanding of the issue, you were able to subscribe to creation mutations before adding the IAM provider to the model's auth directive?

[neats-returns]

Hi, sorry for the late reply. So I made it work by adding the rule rules following rule to my model: { allow: private, operations: [read] }.

You also need to create a custom subscription because if the model is protected by a ownerField, the generated subscription will ask for it. The other interesting thing is that if you don't return every field when you're calling you're mutation, the subscription won't be fired.

[chrisbonifacio]

@neats-returns Ah, nice work figuring it out! That behavior of needing to return every field sounds like DataStore might be enabled for the API? Is this true or are you only using API.graphql?

[neats-returns]

Well I was using it before, by I disabled it with amplify update api. I'm now only using API.graphql

[github-actions[bot]]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.