Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom types can't have authorization modes added to them, meaning if you have a custom mutation and multiple auth modes, response types won't be accessible #2486

Closed
aherschel opened this issue Apr 22, 2024 · 7 comments · Fixed by aws-amplify/amplify-data#204
Closed

Custom types can't have authorization modes added to them, meaning if you have a custom mutation and multiple auth modes, response types won't be accessible #2486

aherschel opened this issue Apr 22, 2024 · 7 comments · Fixed by aws-amplify/amplify-data#204
Assignees
@iartemiev
Labels
bug Something isn't working Gen 2 transferred

Comments

@aherschel
Copy link
Contributor

aherschel commented Apr 22, 2024
edited by josefaidt
Loading

Environment information

Relevant deps:

"@aws-amplify/data-schema": "^0.16.2",
"@aws-amplify/graphql-api-construct": "^1.8.1",

Description

This issue may be better routed to the graphql-cdk repo, but dropping here as I think it relates to Gen2 release.

// schema.ts
import { a, type ClientSchema } from '@aws-amplify/data-schema';

export const schema = a.schema({
  EchoResponse: a.customType({
    content: a.string().required(),
    executionDuration: a.float().required(),
  }),
  echo: a
    .query()
    .arguments({ content: a.string().required() })
    .returns(a.ref('EchoResponse'))
    .authorization(allow => [
      allow.publicApiKey(),
    ])
    .handler(a.handler.function('echo'))
});

export type Schema = ClientSchema<typeof schema>;
// app.ts

...
    const echo = createNodeJsFunction('EchoFn', 'echo.ts'); // generates a lambda fn, details shouldn't matter here

    const api = new AmplifyGraphqlApi(graphqlStack, 'Api', {
      definition: AmplifyGraphqlDefinition.fromString(schema.transform().schema),
      authorizationModes: {
        defaultAuthorizationMode: 'AWS_IAM',
        apiKeyConfig: { expires: Duration.days(30) },
        userPoolConfig: { userPool: auth.resources.userPool },
        iamConfig: {
          identityPoolId: auth.resources.cfnResources.cfnIdentityPool.ref,
          authenticatedUserRole: auth.resources.authenticatedUserIamRole,
          unauthenticatedUserRole: auth.resources.unauthenticatedUserIamRole,
        },
      },
      functionNameMap: {
        echo,
      },
    });
...

Basically, the authmode configured on the ref'd type isn't having the relevant auth modes enabled on the response types. I had to manually update the schema post-hoc to add the @aws_api_key annotation to the schema after deploying to test.
@ykethan
Copy link
Member

ykethan commented Apr 22, 2024

Hey👋 thanks for raising this! I'm going to transfer this over to our API repository for better assistance 🙂

@ykethan ykethan transferred this issue from aws-amplify/amplify-backend Apr 22, 2024
@chrisbonifacio chrisbonifacio added bug Something isn't working and removed pending-triage labels Apr 29, 2024
@iartemiev
Copy link
Member

I tested the data-schema output for this definition (schema.transform()) and the resulting Model Schema looks how I would expect and is annotated with the correct @auth rules:

type EchoResponse 
{
  content: String!
  executionDuration: Float!
}

type Query {
  echo(content: String!): EchoResponse @function(name: "echo") @auth(rules: [{allow: public, provider: apiKey}])
}

I'm going to assume there's a disconnect in the transformer, so I'll unassign myself and mark this pending-triage again for the buildtime team to take over. Please re-assign to me if I missed something and this is in fact a data-schema issue.

@iartemiev iartemiev removed their assignment Apr 30, 2024
@iartemiev iartemiev added pending-triage bug Something isn't working and removed bug Something isn't working pending-triage labels Apr 30, 2024
@iartemiev iartemiev self-assigned this Apr 30, 2024
@iartemiev
Copy link
Member

iartemiev commented Apr 30, 2024
edited
Loading

Scratch what I said above. I get the issue now. The Custom Type, i.e. EchoResponse isn't getting annotated with an AppSync auth directive, so the service prevents us from retrieving it when multi-auth is configured on the API. Re-assigning this back to myself

@iartemiev iartemiev mentioned this issue May 1, 2024
Merged
@iartemiev
Copy link
Member

PR with fix opened in data-schema. Will follow up once it's released

@github-actions GitHub Actions
Copy link

github-actions bot commented May 1, 2024

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

@iartemiev
Copy link
Member

@aherschel - thanks for bringing this to our attention, man!

This is now automatically handled in @aws-amplify/data-schema@^1.1.2.
Any custom types that are referenced by custom operations return types inherit those custom operation(s)' auth rules

@aherschel
Copy link
Contributor Author

aherschel commented May 1, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iartemiev iartemiev

Labels
bug Something isn't working Gen 2 transferred
Projects
None yet
Milestone
No milestone
4 participants
@aherschel @chrisbonifacio @iartemiev @ykethan