amplify-flutter icon indicating copy to clipboard operation
amplify-flutter copied to clipboard
verified publisher icon aws-amplify

Guest Access Not Working in Flutter with User Pools Authorization

Open kuoaid opened this issue 10 months ago • 3 comments

Environment information

System:
  OS: macOS 14.5
  CPU: (10) arm64 Apple M1 Pro
  Memory: 160.56 MB / 16.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 22.13.1 - /usr/local/bin/node
  Yarn: undefined - undefined
  npm: 10.9.2 - /usr/local/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.6.0
  @aws-amplify/backend: 1.14.0
  @aws-amplify/backend-auth: 1.5.0
  @aws-amplify/backend-cli: 1.4.9
  @aws-amplify/backend-data: 1.4.0
  @aws-amplify/backend-deployer: 1.1.16
  @aws-amplify/backend-function: 1.12.1
  @aws-amplify/backend-output-schemas: 1.4.0
  @aws-amplify/backend-output-storage: 1.1.4
  @aws-amplify/backend-secret: 1.1.6
  @aws-amplify/backend-storage: 1.2.4
  @aws-amplify/cli-core: 1.2.3
  @aws-amplify/client-config: 1.5.6
  @aws-amplify/deployed-backend-client: 1.5.0
  @aws-amplify/form-generator: 1.0.3
  @aws-amplify/model-generator: 1.0.12
  @aws-amplify/platform-core: 1.6.1
  @aws-amplify/plugin-types: 1.8.0
  @aws-amplify/sandbox: 1.2.11
  @aws-amplify/schema-generator: 1.2.7
  aws-amplify: 6.12.3
  aws-cdk: 2.177.0
  aws-cdk-lib: 2.177.0
  typescript: 5.7.3
No AWS environment variables
No CDK environment variables

Describe the bug

I have configured my data model with the following authorization rules:

  • The owner can perform any action.
  • Unauthenticated (guest) users should have read-only access.
.authorization((allow) => [
  allow.owner(),
  allow.guest().to(['read']),
])

However, when running my app and querying data without a signed-in user:

authorizationMode: APIAuthorizationType.userPools

I consistently receive the following error:

"underlyingException": "SignedOutException {
  "message": "No user is currently signed in"
}"

My expectation is that allow.guest().to(['read']) should permit unauthenticated users to read the data.

Expected Behavior

When no user is signed in, guest users should be able to query the data without requiring authentication.

Actual Behavior

An exception (SignedOutException) is thrown, indicating that no user is currently signed in, blocking guest access.

Documentation Issue

The Amplify documentation suggests using:

authMode: 'identityPool'

However:

  • This does not appear to be a valid option in Flutter (api_authorization_type.dart does not define such a value).
  • The example code in the documentation seems to be written for React, not Flutter.

Possible Solutions / Questions

  • Is there a way to explicitly set the authorization mode for guest users in Flutter while conserving the owner-based authorization functionalities?
  • Is the Flutter documentation incorrect or outdated regarding public data access?

Additional Context

This issue prevents guests from accessing public data, which contradicts the intended behavior of allow.guest().to(['read']). Any guidance on proper guest access implementation in Flutter would be helpful.

Reproduction steps

  1. Configure any data model with the authorization rules above.
  2. Run the app and attempt to query data without signing in.
  3. Observe the SignedOutException error.

kuoaid avatar Mar 17 '25 21:03 kuoaid

Hey,👋 thanks for raising this! I'm going to transfer this over to our Amplify flutter repository for better assistance.

ykethan avatar Mar 18 '25 15:03 ykethan

A workaround is to define api key like this in data/resource.ts:

export const data = defineData({
  schema,
  authorizationModes: {
    defaultAuthorizationMode: "userPool",
    apiKeyAuthorizationMode: {
              expiresInDays: 30,
        }
  },
});

And introducing the auth rule for your models like:

    .authorization((allow) => [
              allow.publicApiKey().to(['read','create'])

When you query for the data, specify the optional field when creating your request:

      authorizationMode: APIAuthorizationType.apiKey,

This bypasses the guest system.

However, I imagine this isn't the ideal solution for allowing guest access. Seems to me like the intended design is to use identity pool access and allow.guest.

kuoaid avatar Mar 18 '25 20:03 kuoaid

Hi @kuoaid , thanks for raising this issue and the workaround, I agree that allow.guest().to(['read']) should work as you initially expected, where an unauthenticated user has read access without that signed out exception being raised. We will investigate a fix for this, thank you as well for bringing up the documentation, that is indeed outdated and needs to be updated for the Flutter library.

ekjotmultani avatar Mar 26 '25 17:03 ekjotmultani