aws-amplify
datastore multiauth schema example incorrect
Describe the bug The example schema for multiple authorization modes on https://docs.amplify.aws/cli/graphql/authorization-rules/#configure-multiple-authorization-rules does not produce the advertised result. While it says "any user (signed in or not, verified by IAM) is allowed to read all posts" I found that while a non-signed in user can read all posts, a signed in user will only see the posts they authored as precedence algorithm will be user cognito user pools for a signed in read request. I think you have to use auth directives like this make it work as described:
[{ allow: public, operations: [read], provider: iam },
{ allow: private, operations: [read] },
{ allow: owner }]
To Reproduce Steps to reproduce the behavior:
- make an app with auth (allow unauthenticated logins) and graphql API, with multiauth (iam and cognito), enable conflict resolution, user schema like https://docs.amplify.aws/cli/graphql/authorization-rules/#configure-multiple-authorization-rules.
- Make an app with datastore. I did this with flutter in ios, but I think you can repro with any platform (someone else was able to repro in JS and iOS directly).
- Sync the datastore while a user is logged in
Expected behavior Sync includes all the posts, even those made by other users Actual behavior Sync only includes those created by signed in user.
I think the legacy docs have a different schema, dk if that's relevant https://docs.amplify.aws/cli-legacy/graphql-transformer/auth/#combining-multiple-authorization-types
