amplify-category-api Mutations are not authorized when using manyToMany relation and cognito user groups auth

Mutations are not authorized when using manyToMany relation and cognito user groups auth | Amplify v6

Open edlefebvre opened this issue 1 year ago • 3 comments

Before opening, please confirm:

[X] I have searched for duplicate or closed issues and discussions.
[X] I have read the guide for submitting bug reports.
[X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Vue

Amplify APIs

Authentication, GraphQL API

Amplify Version

Amplify Categories

auth, api

Backend

Amplify CLI

Environment information

# Put output below this line
  System:
    OS: Linux 6.9 Fedora Linux 39
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 20.8.1 - ~/.nvm/versions/node/v20.8.1/bin/node
    Yarn: 1.22.21 - /usr/bin/yarn
    npm: 10.2.5 - ~/.nvm/versions/node/v20.8.1/bin/npm
  Browsers:
    Chrome: 128.0.6613.84
  npmPackages:
    @aws-amplify/ui-vue: ^4.2.0 => 4.2.0 
    @vitejs/plugin-vue: ^5.1.2 => 5.1.2 
    aws-amplify: ^6.5.3 => 6.5.3 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    vite: ^5.4.2 => 5.4.2 
    vue: ^3.4.15 => 3.4.38 
    vue-router: ^4.2.5 => 4.2.5 
  npmGlobalPackages:
    @aws-amplify/cli: 12.12.6
    npm: 10.2.5

Describe the bug

I can't write mutation for manyToMany relations with Amplify v6, I get an unauthorized error.

I've seen this bug (13226) which could be related, except I don't use Datastore.

Consider this graphql schema:

type TestAuth
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["admin"] },
      { allow: groups, groupsField: "create", operations: [create] },
      { allow: groups, groupsField: "read", operations: [read] },
      { allow: groups, groupsField: "update", operations: [update] },
      { allow: groups, groupsField: "delete", operations: [delete] }
    ]
  )
{
  id: ID!
  tenant: String!
  name: String
  sites: [TestAuthSite] @manyToMany(relationName: "TestAuthSiteLinks")
  create: [String] 
  read: [String] 
  update: [String] 
  delete: [String] 
}


type TestAuthSite
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["admin"] },
      { allow: groups, groupsField: "create", operations: [create] },
      { allow: groups, groupsField: "read", operations: [read] },
      { allow: groups, groupsField: "update", operations: [update] },
      { allow: groups, groupsField: "delete", operations: [delete] }
    ]
  )
{
  id: ID!
  tenant: String!
  name: String
  testauth: [TestAuth] @manyToMany(relationName: "TestAuthSiteLinks")
  create: [String]
  read: [String] 
  update: [String] 
  delete: [String]
}

Using a user with a cognito group 'Manager' that as CRUD rights on these two models, I'm able to create TestAuth and TestAuthSite. But createTestAuthSiteLinks mutation throws an error Not Authorized to access createTestAuthSiteLinks on type Mutation.

I tried this directly in AppSync and in my app, both failed.

Any help much appreciated!

Expected behavior

Should be able to write mutations for linking manyTomany relations when models to join have both auth set up with cognito groups.

Reproduction steps

Use the suggested graphql schema
Create a TestAuth
Create a TestAuthSite
Try to create a TestAuthSiteLinks and see the error

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

Aug 30 '24 12:08 edlefebvre

amplify-category-api amplify-category-api copied to clipboard

Mutations are not authorized when using manyToMany relation and cognito user groups auth | Amplify v6

Before opening, please confirm:

JavaScript Framework

Amplify APIs

Amplify Version

Amplify Categories

Backend

Environment information

Describe the bug

Expected behavior

Reproduction steps

Code Snippet

Log output

aws-exports.js

Manual configuration

Additional configuration

Mobile Device

Mobile Operating System

Mobile Browser

Mobile Browser Version

Additional information and screenshots

amplify-category-api
amplify-category-api copied to clipboard