Amplify-cli: @aws_auth directive does not grant full access to query with multiple data sources

Created on 2 Jan 2019 · 4Comments · Source: aws-amplify/amplify-cli

Describe the bug
When adding the @aws_auth directive to a specific Query, the user group does not get full access to all the attributes in the query

To Reproduce

Create the following schema:

type Node {
     node_id: String!
     node_name: String
     location_id: String
     location_name: String
}

type Location {
    location_id: String
    location_name: String
}

type Query {
   getNode(node_id: String!): Node
}

The node_id, node_name and location_id fields are native fields within a DynamoDB table called Nodes, while the location_id and location_name fields are native to another DynamoDB table called Locations.

Add a custom resolver the for the location_name field, since we want to fetch back the location_name along with a query for nodes.

Data Source: Locations 

Request Mapping Template
{
    "version" : "2017-02-28",
    "operation" : "Scan",
    "filter" : {
        "expression" : "location_id= :location_id",
        "expressionValues" : {
            ":location_id" : { "S" : "${ctx.source.location_id}" }
        }
        }
}

Response Mapping Template
$util.toJson($ctx.result.items[0].location_name)

Select Authorization type as Amazon Cognito User Pool.
Under User Pool configuration, select default action: DENY.
Add the @aws_auth directive to the query

type Query {
   getNode(node_id: String!): Node
   @aws_auth(cognito_groups: ["Users"])
}

Query getNode via the Queries console.

Expected behavior
We get back the full record for the node.
Instead, we get back the data for the node_id, node_name and location_id fields, but cannot resolve the location_name:

{
  "data": {
    "getNode": {
      "node_id": "111",
      "location_name": "ABC"
      "node_name": "Apple"
    }
  },
  "errors": [
    {
      "path": [
        "getNode",
        "location_name"
      ],
      "data": null,
      "errorType": "Unauthorized",
      "errorInfo": null,
      "locations": [
        {
          "line": 4,
          "column": 5,
          "sourceName": null
        }
      ],
      "message": "Not Authorized to access location_name on type Node"
    }
  ]
}

Additional context
Any explanation on how exactly the @aws_auth directives work would be helpful. There seems to be limited documentation on this. Thank you!

graphql-transformer pending-response question

Source

cy6581

Most helpful comment

When specifying the default action of DENY then you must explicitly allow access on the field. You may also set this value to ALLOW and I believe the full object should come back as expected.

mikeparisstuff on 9 Mar 2019

👍2

All 4 comments

The only way we managed to resolve this was to explicitly add the @aws_auth annotation on the location_name field within the type. Is this expected behaviour?

The implication is that we would have do this for every field that uses data from another table.

type Node {
     node_id: String!
     node_name: String
     location_id: String
     location_name: String
     @aws_auth(cognito_groups: ["Users"])
     # without the annotation, the location_name field cannot be resolved. 
}

cy6581 on 8 Jan 2019

Just wanted check if anyone else encountered the same issue?

cy6581 on 21 Jan 2019

👍1

When specifying the default action of DENY then you must explicitly allow access on the field. You may also set this value to ALLOW and I believe the full object should come back as expected.

mikeparisstuff on 9 Mar 2019

👍2

Thank you @mikeparisstuff. Useful to know that we must explicitly allow access on custom-resolver fields, if we are using the DENY action.

cy6581 on 30 Apr 2019

👍1

Was this page helpful?

0 / 5 - 0 ratings