amplify-cli: Unable to make unauthenticated/anonymous requests to graphql api even though cli gives the option to

@rayhaanq you need to update the authentication type in your UI as well. Like this:

import amplifyConfig from './src/aws-exports';
amplifyConfig.aws_appsync_authenticationType = 'AWS_IAM';
Amplify.configure(amplifyConfig);

@mikeparisstuff once IAM auth is set up, how do you actually configure permissions for the use case mentioned above? I have this:

type Thing 
  @model 
  @auth(
    rules: [
      {allow: owner, identityField: "cognitoIdentityId"},
    ]
  )
{
  id: ID!
  name: String!
}

It’d be nice to be able to write a rule that looks something like this:

{allow: unauthenticated, queries: [get, list]}

Thoughts?

Ok, the trick lies in Cognito’s custom authentication option: https://aws-amplify.github.io/docs/js/authentication#customizing-authentication-flow

The API

Auth.signIn only requires the username param, so you can omit the password.

That configures your sign in to a CUSTOM_AUTH flow type: https://github.com/aws-amplify/amplify-js/blob/4644b432/packages/auth/src/Auth.ts#L416

Create a User

First you’ll need to create a user in your Cognito User Pool…it just needs a username, nothing else. I called mine guest.

Create a Challenge

Then you have to set up some Lambda functions as Triggers in your User Pool.

I’m not sure how much of this is required, but if you don’t define them then you get an error about null and Lambda)

These establish a series of challenge steps.

Specifically:

1. Define Auth Challenge
2. Create Auth Challenge
3. Verify Auth Challenge

Disclaimer I’m still trying to figure these out, I just c&p’d from the Amplify docs and the author of this “optional password” patch: https://github.com/buggy/project-x-server/tree/master/shopify/src

Up to this point I haven’t figured out how to define the challenge question (it’s late, bed time 💤 ) so I ended up just setting the verifyAuthChallenge fn to true:

exports.handler = async (event, context) => {
  event.response.answerCorrect = true;
  event;
};

Finally I can call this:

(async () => {
  try {
    const user = await Auth.signIn ('guest');
    await Auth.sendCustomChallengeAnswer (user, 'foo');
    navigation.navigate ('App');
  } catch (err) {
    console.error (err);
  }
}) ();

I hope to get the actual challenge pieces figured out next week, but for now I have the desired effect of readonly models for non authorized users!

---

I hope this helps somebody! I’ll continue to post as I figure out the rest of the challenge bits.

@kaustavghosh06 thanks for the new release, from what I read on the doc, Public is not compatible with Owner. So the use case with a post that any visitor can read, only log-in users can comment and only owner can edit is still not supported, can you confirm or did I misunderstood the doc?

We are working on automating this & making it easier. You are correct that the @auth features of the GraphQL transformer only work for User Pools at the moment and if you want to have Auth & UnAuth access to an AppSync API you will need to use AWS_IAM via Cognito Identity Pools right now. If you could take a moment and read our RFC please do so to ensure that we are capturing your requirements: aws-amplify/amplify-cli#766

In the meantime, we have provided a sample to help unblock you here: https://github.com/dabit3/appsync-auth-and-unauth

cc: @dabit3 @manueliglesias @kaustavghosh06

@rayhaanq for authenticated users it’s pretty easy as you can add users to groups and give them specific permissions in @auth, but, as I mentioned above, I haven’t figured out how to give unauthenticated users specific permissions.

Edit: I just realized that allow: unauthenticated should probably also apply to signed in users (other than owner) as well. Maybe something like “public” or “everyone” would work.

UPDATE

This actual only handles the owner issue. I still can’t see the records when I have no authenticated user 😕

---

@cadejscroggins I have the same scenario:

I just need a way to have content that is read/write for the owner and read-only for everyone else (including unauthenticated users)

I just figured out how to do this via the AppSync interface. I’m going to note here in case it helps you and anybody else:

1. Login to AppSync and navigate to Schema
2. In the Resolvers panel, find the Query resolvers
3. Click on the Resolver for the appropriate query (my case was for listOffers)
4. Update the response mapping template, removing the authentication logic.

Mine was as simple as replacing the hand-built list with: $util.toJson($ctx.result)

I was then able to test the response using the AppSync Queries interface and just pasting in the same query that my app makes.

For a clarification, the @auth directive currently supports Cognito User Pools only. In the future we will expand support for IAM and can do many of the same things but this needs to be worked on. As for the unauthenticated access, we have an issue https://github.com/aws-amplify/amplify-cli/issues/54 that is tracking this.

It sounds as if you are trying to use IAM auth but the API is setup to use AWS Cognito User Pools. Is this correct? The CLI does not currently support GraphQL APIs with IAM but support for this is on the backlog and will be worked on as soon as resources are available.

After creating the API, you can go to the AppSync console’s settings page and enable IAM auth instead of user pools auth to verify if this fixes your issue.