amplify-cli: Unauthorized while performing update mutation on model GraphQL Transformer V2

Before opening, please confirm:

  • I have installed the latest version of the Amplify CLI (see above), and confirmed that the issue still persists.
  • I have searched for duplicate or closed issues.
  • I have read the guide for submitting bug reports.
  • I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.
  • I have removed any sensitive information from my code snippets and submission.

How did you install the Amplify CLI?

npm

If applicable, what version of Node.js are you using?

v17.5.0

Amplify CLI Version

7.6.22

What operating system are you using?

Mac

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

Deleted a field from model and updated the GraphQL API Resource ( Appsync ).

Amplify Categories

auth, api

Amplify Commands

Not applicable

Describe the bug

type Farmer 
  @model  
  @auth(
    rules: [
      { allow: owner, operations: [create, update, read] },
      { allow: groups, groups: ["Admin"], operations: [read] }
    ])
  {
  identityId: String
  profileImg: String
  name: String!
  mobile: AWSPhone! @primaryKey 
  billing: Shipping
  shipping: [Shipping]
  email: String
  fb: String
  google:String
  cart: [CartItem]
  wishList: [String]
}

Issue faced - Unauthorized to run update mutation on the model after being authenticated This issue is not only being faced with owner auth type but also with group auth type. Our system is in production and we need immediate resolution for this. Please support as soon as possible.

Expected behavior

Intended Auth Access - The owner should be able to create, read and update. Admin should. be able to read.

Reproduction steps

  1. Make change to GraphQL schema
  2. Perform amplify push
  3. Auth Error occurs

GraphQL schema(s)

# Put schemas below this line
type Farmer 
  @model  
  @auth(
    rules: [
      { allow: owner, operations: [create, update, read] },
      { allow: groups, groups: ["Admin"], operations: [read] }
    ])
  {
  identityId: String
  profileImg: String
  name: String!
  mobile: AWSPhone! @primaryKey 
  billing: Shipping
  shipping: [Shipping]
  email: String
  fb: String
  google:String
  cart: [CartItem]
  wishList: [String]
}

Log output

# Put your logs below this line

Additional information

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 2
  • Comments: 16 (5 by maintainers)

Most upvoted comments

+1 This is a serious problem, downgrading to v7.6.21 works

+2
IsaacTrevino on Mar 4, 2022

There was a change in how VTL files are generated. If a particular group does not have nullification or delete privileges, then they will not be able to perform a mutation. Check the Mutation.updateXXXXXX.auth.1.res.vtl file

#set($staticGroupRoles=[
{"claim":"cognito:groups","entity":"admins","allowedFields":["id","name","truck","trips","notes","meta"],"nullAllowedFields":["id","name","truck","trips","notes","meta"],"isAuthorizedOnAllFields":true},
{"claim":"Cognito:groups","entity":"management","allowedFields":["id","name","truck","trips","notes","meta"],"nullAllowedFields":[],"isAuthorizedOnAllFields":false},
])

If you are trying to modify a field that is not in the null allowed fields, then you will return a Error: User Not Authorized.

I know this isn’t ideal but hopefully a fix in the near future graphql transformer version, but in the mean time try adding delete permission to that group.

+1
IsaacTrevino on Nov 4, 2022

Hey @shriram192 πŸ‘‹ thanks for raising this! Unfortunately I was not able to reproduce using the following schema:

type Todo
  @model
  @auth(
    rules: [
      { allow: owner }
      { allow: groups, groups: ["admins"] }
    ]
  ) {
  id: ID! @primaryKey
  owner: ID
  name: String!
  description: String
}

with two users, admin and user, of which admin is a member of the admins group. Both admin and user are able to update records as intended. However, when explicitly granting update access the update mutations no longer work:

type Todo
  @model
  @auth(
    rules: [
      { allow: owner, operations: [create, update, read] }
      { allow: groups, groups: ["admins"], operations: [read] }
    ]
  ) {
  id: ID! @primaryKey
  owner: ID
  name: String!
  description: String
}

It is important to note create and read are working as expected.

image

Marking as a bug πŸ™‚

+1
josefaidt on May 17, 2022
Read more comments on GitHub
← amplify-cli: Unable to stream models to ElasticSearch
amplify-cli: UnhandledPromiseRejectionWarning: NoSuchBucket: The specified bucket does not exist →