Mixed authentication (public/private) with a many-to-many schema fails

[josh-tncarry]

Describe the bug
When creating a simple many-to-many schema, it appears that the compiled graphql schema does not include the appropriate permission attributes necessary for handling an API that supports both public and private use.

Given a many to many relationship using only Cognito auth modes, everything works as expected, but the minute you introduce:

{ allow: public, operations: [read], provider: iam }

Into the model, it appears that the linking model is not decorated in the final output with any authorization attributes, causing it to throw errors for both authenticated as well as unauthenticated users.

Amplify CLI Version
4.37.0

To Reproduce

1. Create a simple amplify project
2. amplify add api
3. configure both Cognito authentication as well as IAM
4. Use the following graphql schema:

type User
  @model
  @key(fields: ["username"])
  @auth(
    rules: [
      { allow: owner, operations: [create, delete, update] }
      { allow: private, operations: [read] }
      { allow: public, operations: [read], provider: iam }
    ]
  ) {
  username: String!
  postLikes: [PostLike] @connection(keyName: "byUsername", fields: ["username"])
}

type Post
  @model
  @auth(
    rules: [
      { allow: owner, operations: [create, delete, update] }
      { allow: private, operations: [read] }
      { allow: public, operations: [read], provider: iam }
    ]
  ) {
  id: ID!
  body: String!
  username: String!
  user: User! @connection(fields: ["username"])
  userLikes: [PostLike] @connection(keyName: "byPostId", fields: ["id"])
}

type PostLike
  @model(queries: null)
  @auth(
    rules: [
      { allow: owner, operations: [create, delete, update] }
      { allow: private, operations: [read] }
      { allow: public, operations: [read], provider: iam }
    ]
  )
  @key(name: "byPostId", fields: ["postId", "username"])
  @key(name: "byUsername", fields: ["username", "postId"]) {
  id: ID!
  postId: ID!
  username: String!
  post: Post! @connection(fields: ["postId"])
  user: User! @connection(fields: ["username"])
}

1. Compile the graphql schema with amplify api gql-compile
2. Observe that the model ModelPostLikeConnection does not have any auth attributes

type ModelPostLikeConnection {
  items: [PostLike]
  nextToken: String
}

When querying the Post model and trying to also pull in all userLikes the query will fail with a message of Not Authorized to access nextToken on type ModelPostLikeConnection

Expected behavior
The linking table should look like this:

type ModelPostLikeConnection @aws_iam @aws_cognito_user_pools {
  items: [PostLike]
  nextToken: String
}

Desktop (please complete the following information):

• Windows
• 15.3.0

Additional context
A minimal repo with the graphql schema necessary to reproduce the bug can be found here: https://github.com/josh-tncarry/many-to-many-amplify-bug

[attilah]

@josh-tncarry thanks for reporting we'll look into it!

[josh-tncarry]

Ok, as an update, it would appear that if you remove the (queries: null) part on the PostLike model, then the correct auth attributes will be generated.

I can probably further simplify this example given this information.

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.