Amplify-cli: @auth with multiple auth types on nested types not working

Created on 6 Nov 2019 · 8Comments · Source: aws-amplify/amplify-cli

I have implemented multiple authentication systems with Cognito pools as the default and 'IAM' as the other.

I have a city model:

`type City @model 
@key(name: "cityByName", fields: ["title"], queryField: "findCityByName")
  @auth(rules: [
    { allow: groups, groups: ["admin"], operations: [update, delete, create] },
    { allow: public, provider: iam, operations: [read] }
  ])
@searchable {
  id: ID!
  title: String!
  description: String
  country: String
  continent: String
  location: Location
  timezoneOffset: Float
  currency: String
  images: [String]
  createdAt: Float!
  updatedAt: Float!
}
`

with the nested object type 'Location':

type Location { lat: Float lon: Float }

Now if I run the query with IAM as the auth mode, the query gives an error:

message: "Not Authorized to access lat on type Location"

Location is a type and simply outlines the data structure for location, and I cannot apply auth rules to it unless i convert it with the @model directive, which I dont want to do.

If i removed the location fields from the query being called, the data returns just fine.

How am i meant to get the location data if I cannot apply auth rules to the location without adding the @model directive??

graphql-transformer pending-triage

Source

oliverandersencox

Most helpful comment

Oh I see, I thought we were only allowed to use the @auth directive when using amplify-cli, which it then translates to @aws_iam, etc.

For what it's worth, I would expect the @auth rule to propagate to nested non-model types by default, but thanks for the workaround for now.

dubchoi on 8 Nov 2019

👍2

All 8 comments

Hey there, you should add @aws_iam to your nested type definition, like this:

type Location @aws_iam { lat: Float lon: Float }

That way the Appsync auth will validate. You can utilize other authorization modes, described here:

https://docs.aws.amazon.com/appsync/latest/devguide/security.html#using-additional-authorization-modes

Hope that helps!

warrenmcquinn on 6 Nov 2019

this is not possible through the ampliy JS client:

Directive "aws_iam" may not be used on INPUT_OBJECT.

oliverandersencox on 6 Nov 2019

@oliverandersencox What @warrenmcquinn mentioned in correct. If you add @aws_iam directive to your Location type, you should be able to access that type.

In context to your last response, what wouldn't be possible via JS client?

kaustavghosh06 on 7 Nov 2019

Maybe, #2673 is the same issue.

hirochachacha on 7 Nov 2019

@oliverandersencox Let me know if you're still stuck after adding the directives (@aws_iam) to your non-model types as mentioned in my comment above.

kaustavghosh06 on 7 Nov 2019

@kaustavghosh06 the problem is that amplify-cli auto generates the schema file, and so currently these directives need to be added manually from aws console after every single amplify api push. This seems like a bug.

dubchoi on 7 Nov 2019

@dubchoi In the above schema, the type Location is a part of the schema.graphql file defined by the annotated schema. This type Location is not generated or overwritten by the CLI and whatever auth rules like @aws_iam is mentioned out there on this type Location, is passed through as is to the de-compiled schema.

kaustavghosh06 on 8 Nov 2019

👍1

Oh I see, I thought we were only allowed to use the @auth directive when using amplify-cli, which it then translates to @aws_iam, etc.

For what it's worth, I would expect the @auth rule to propagate to nested non-model types by default, but thanks for the workaround for now.

dubchoi on 8 Nov 2019

👍2

Was this page helpful?

0 / 5 - 0 ratings