Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Inconsistent results when listing documents when @auth is applied on the model

See original GitHub issue

Note: If your issue/bug is regarding the AWS Amplify Console service, please log it in the Amplify Console GitHub Issue Tracker

Describe the bug I have a user in the cognito user pools with a given number of groups he belongs to. I have a Domain model with an @auth directive to restrict access to the domains based upon the groups a user belongs to. When I call the query listDomains it doesn’t return all domains for the given user, but when I remove the @auth directive on the model it works fine.

Amplify CLI Version 4.18.1

To Reproduce

  • Create 15 groups in the cognito user pool
  • Create 2 users and give attribute the first users to 10 groups and the 2nd user to 5 groups
  • Create the following model:
type Domain
  @model
  @auth(rules: [
    { allow: groups, groupsField: "group" }
  ])
{
  id: ID!
  name: String!
  group: String!
}
  • Now query with like bellow:
query listMyDomains{
  listDomains {
    items {
      name
      group
    } 
  }
}

Expected behavior All domains of the user calling the query are returned

Screenshots Only a few of the domains the user has access to are returned image

Desktop (please complete the following information):

  • OS: macOs Catalina 10.15.4
  • Node Version. v12.16.1

Additional context image image

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:5

github_iconTop GitHub Comments

4reactions
RossWilliamscommented, May 6, 2020

This is not a bug. You are likely experiencing a few issues.

  1. By default, list operations fetch 10 items from DynamoDB. If your model has more than 10 items, you will not get all items. set the “limit” parameter to ensure you get all items you want.
  2. List operations scan a DynamoDB table. If there is more than 1MB of items in the table, you cannot get all items for a user in a single request. Minimise your use of list operations or you will have pain once you get to production and suddenly things stop working.
  3. The @auth directive for list operations does not do any filtering in the database, it filters items after they are returned. This means even if a user has less than 10 items they are allowed to see, this query might not return all items because the limit for how many items to fetch is applied at the database level, but the auth filter happens in the AppSync response resolver.

My recommendation to resolve this issue is one of the following.

  1. Add a limit parameter that is larger than the total amount of items in your table. Only do this if your table is extremely small and will never grow to more than a handful of items.
  2. Add a @key to your model with the primary key of your group field. Set the queryField parameter and query using the key directly. Do not use the list queries, consider them only for testing.

The main principal working with DynamoDB is to not over-fetch data. This means setting up indexes so you can fetch only what you need.

0reactions
github-actions[bot]commented, May 26, 2021

This issue has been automatically locked since there hasn’t been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Python Django Rest Framework UnorderedObjectListWarning
So in order to fix this I had to find all of the all , offset , filter , and limit clauses and...
Read more >
CWE-863: Incorrect Authorization (4.9) - MITRE
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on...
Read more >
Troubleshoot TACACS Authentication Issues - Cisco
This document describes the steps to troubleshoot Terminal Access Controller Access-Control System Authentication (TACACS) issues on Cisco IOS®/Cisco.
Read more >
KB5014754—Certificate-based authentication changes on ...
To protect your environment, complete the following steps for certificate-based authentication: Update all servers that run Active Directory Certificate ...
Read more >
Troubleshoot SAML Configurations - Auth0
Does your authentication flow use an SP-initiated model, an IdP-initiated model, ... Connect or WS-Fed results in errors due to the incorrect configuration....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Missing working subscription operations for read-only models

Next page

[Feedback] amplify mock step fails if Java JDK is not installed