Mutations are not authorized when using manyToMany relation and cognito user groups auth | Amplify v6

[edlefebvre]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Vue

Amplify APIs

Authentication, GraphQL API

Amplify Version

v6

Amplify Categories

auth, api

Backend

Amplify CLI

Environment information

# Put output below this line
  System:
    OS: Linux 6.9 Fedora Linux 39
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 20.8.1 - ~/.nvm/versions/node/v20.8.1/bin/node
    Yarn: 1.22.21 - /usr/bin/yarn
    npm: 10.2.5 - ~/.nvm/versions/node/v20.8.1/bin/npm
  Browsers:
    Chrome: 128.0.6613.84
  npmPackages:
    @aws-amplify/ui-vue: ^4.2.0 => 4.2.0 
    @vitejs/plugin-vue: ^5.1.2 => 5.1.2 
    aws-amplify: ^6.5.3 => 6.5.3 
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    vite: ^5.4.2 => 5.4.2 
    vue: ^3.4.15 => 3.4.38 
    vue-router: ^4.2.5 => 4.2.5 
  npmGlobalPackages:
    @aws-amplify/cli: 12.12.6
    npm: 10.2.5

Describe the bug

I can't write mutation for manyToMany relations with Amplify v6, I get an unauthorized error.

I've seen this bug (13226) which could be related, except I don't use Datastore.

Consider this graphql schema:

type TestAuth
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["admin"] },
      { allow: groups, groupsField: "create", operations: [create] },
      { allow: groups, groupsField: "read", operations: [read] },
      { allow: groups, groupsField: "update", operations: [update] },
      { allow: groups, groupsField: "delete", operations: [delete] }
    ]
  )
{
  id: ID!
  tenant: String!
  name: String
  sites: [TestAuthSite] @manyToMany(relationName: "TestAuthSiteLinks")
  create: [String] 
  read: [String] 
  update: [String] 
  delete: [String] 
}


type TestAuthSite
  @model
  @auth(
    rules: [
      { allow: groups, groups: ["admin"] },
      { allow: groups, groupsField: "create", operations: [create] },
      { allow: groups, groupsField: "read", operations: [read] },
      { allow: groups, groupsField: "update", operations: [update] },
      { allow: groups, groupsField: "delete", operations: [delete] }
    ]
  )
{
  id: ID!
  tenant: String!
  name: String
  testauth: [TestAuth] @manyToMany(relationName: "TestAuthSiteLinks")
  create: [String]
  read: [String] 
  update: [String] 
  delete: [String]
}

Using a user with a cognito group 'Manager' that as CRUD rights on these two models, I'm able to create TestAuth and TestAuthSite. But createTestAuthSiteLinks mutation throws an error Not Authorized to access createTestAuthSiteLinks on type Mutation.

I tried this directly in AppSync and in my app, both failed.

Any help much appreciated!

Expected behavior

Should be able to write mutations for linking manyTomany relations when models to join have both auth set up with cognito groups.

Reproduction steps

1. Use the suggested graphql schema
2. Create a TestAuth
3. Create a TestAuthSite
4. Try to create a TestAuthSiteLinks and see the error

Code Snippet

No response

Log output

No response

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[edlefebvre]

As a workaround, I'm now using two @hasMany <=> @belongsTo relationships with same auth settings used for the models to join.

[chrisbonifacio]

Hi @edlefebvre 👋 thanks for raising this issue! I will try to reproduce and report back with any findings

[chrisbonifacio]

Hi @edlefebvre Since this is reproducible in the AppSync console, it is likely a graphql transformer issue. Auth rules/resolvers are generated at build-time so I transferred this over to the category-api repo for better support.