DEV Community

Mithun Kamath
Mithun Kamath

Posted on

Amplify Quirks

As I work on a project using aws amplify, I am going to document some quirks that I come across (or some plain old stupidity on my part). The documentation for amplify has room to improve but it is definitely frustrating to work with it. I document my findings here for my future self, if I have to work using amplify again.

I dislike that I have to go to Amplify's discord and search through the history for any similar issues... What happened to having StackOverflow as the go-to for such activities?

Anyway, I intend to update this blog forever so you could keep checking back.

Appsync / Graphql

Combination of private and groups authorization types

Example:

type Query {
  myFooQuery: Bar @auth(
    rules: [
      { allow: private },
      { allow: groups, groups: ["Admin"] }
    ]
  )
}
Enter fullscreen mode Exit fullscreen mode

Expectation When I define both private and groups authorization, say on a query, users with a valid jwt token as well as users that belong to the cognito user group defined in the authorization rule are allowed to execute that query. I expected this to be an OR condition:

  • EITHER users that have a valid jwt token
  • OR users that belong to a specific cognito user group

just like the other authorization type combinations (such as a user can either use an api key or the owner can update their own record).

Actual The group authorization rule takes precedence over the private authorization rule. Thus, even if a user has a valid jwt token, they cannot execute the query. Not unless they belong to the group specified.

Comment Granted that having both private and groups authorization types is redundant - if a user belongs to a group, it would imply they have a jwt token and thus having just private authorization type would suffice. But I expected the combination to always be OR'ed but turns out that isn't the case when it comes to the private and groups authorization types.

Hours Spent Debugging 4 hours. Had to check the generated request mapping template, learn VTL, learn how to log in VTL ($util.error()!!!) and then came to this conclusion.

Discussion (0)