DataStore does not sync if using owner @auth

[PeterSchoell]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Vue

Amplify APIs

DataStore

Amplify Version

v6

Amplify Categories

api

Backend

Amplify CLI

Environment information

"aws-amplify": "6.5.3",

Describe the bug

I have an application that uses AppSync DataStore with a model Tenant and an owner as authorisation method at field level.

When I submit a query via the AWS GUI, everything works as expected.

In the application, however, the sync throws a warning and no data is synchronised at all.

DataStore - User is unauthorised to query syncTenants with auth mode userPool. No data could be returned.

In #6625 switching to Cognito as the authentication method should help - however, this is already set for me.

"aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS",

Expected behavior

All data is also synchronised via the datastore

Reproduction steps

• Setup AppSync with given model
• User Cognito as Auth method
• In your client use DataStore and start DataStore await DataStore.start()

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

"aws_appsync_authenticationType": "AMAZON_COGNITO_USER_POOLS",

Manual configuration

No response

Additional configuration

type Tenant @model  @auth(
      rules: [
        { allow: groups, groups: ["VerifiedUser"], operations: [read] }
        { allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
      ]
    ) 
  {
  id: ID! @primaryKey @auth(
      rules: [
        { allow: groups, groups: ["VerifiedUser"], operations: [read] }
        { allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
        { allow: owner, operations: [create, update, read, delete] }
      ]
    )
  tenantName: String
  tenantPlan: String
  tenantPayment: String
  tenantAddress: AWSJSON @auth(rules: [{ allow: owner, operations: [create, update, read, delete] }])
}

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[chrisbonifacio]

Hi @PeterSchoell 👋 thanks for raising this issue!

You mentioned that there is owner auth at the field level but it seems that your model level auth only allows users that belong to certain groups to read data from the table. Have you tried adding owner auth to the model level?

type Tenant @model @auth(
  rules: [
    { allow: groups, groups: ["VerifiedUser"], operations: [read] }
    { allow: groups, groups: ["Admin"], operations: [create, update, read, delete] }
+ { allow: owner, operations: [create, update, read, delete] } 
  ]
) {
  id: ID! @primaryKey
  tenantName: String
  tenantPlan: String
  tenantPayment: String
  tenantAddress: AWSJSON
  owner: String
}

With an owner auth rule, when records are created a owner field will be populated with the sub::username of the current user. Keep in mind that you can only be authorized to access records either as the owner OR belonging to an authorized group, but not both.

[PeterSchoell]

@chrisbonifacio Thank you for the quick reply.

The variant at model level to add the owner to the authentication works. The owner is always also in one of the two groups. The additional owner specification could restrict the operations (e.g. delete) here.

My case, however, is that only the owner should read the tenantAddress and no other user/group. As written, this works without problems in the AWS AppSync queries GUI, in the application via the datastore no element from the database is synchronised at all. (DataStore - User is unauthorised to query syncTenants with auth mode userPool. No data could be returned.)