Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(api): Don't prevent subscribing with API_KEY when there is also an owner-based rule #2828

Merged
merged 8 commits into from
Jul 10, 2024
Merged

fix(api): Don't prevent subscribing with API_KEY when there is also an owner-based rule #2828

merged 8 commits into from
Jul 10, 2024

Conversation

mattcreaser
Copy link
Member

  • PR title and description conform to Pull Request guidelines.

Issue #, if available:
#2770

Description of changes:
This fix applies to models that have multiple types of authentication, e.g:

const schema = a.schema({
  Todo: a
    .model({
      content: a.string(),
    })
    .authorization(allow => [
        allow.publicApiKey().to(['read']),
        allow.owner()
    ]),
});

This schema translates into a model that has the following auth rules:

@ModelConfig(pluralName = "Todos", type = Model.Type.USER, version = 1, authRules = {
  @AuthRule(allow = AuthStrategy.PUBLIC, provider = "apiKey", operations = { ModelOperation.READ }),
  @AuthRule(allow = AuthStrategy.OWNER, ownerField = "owner", identityClaim = "cognito:username", provider = "userPools", operations = { ModelOperation.CREATE, ModelOperation.UPDATE, ModelOperation.DELETE, ModelOperation.READ })
}, hasLazySupport = true)
public final class Todo implements Model

We would previously disallow subscribing to this model using AuthorizationType.API_KEY, because of the presence of the AuthStrategy.OWNER rule. You should be able to subscribe using either type. If using AuthorizationType.API_KEY then you receive events for all models, while if using AuthorizationType.COGNITO_USER_POOLS you receive events only for your own models.

I also fixed a bug I noticed that could (rarely) prevent proper shutting down of the subscription when using MultiAuth subscriptions.

How did you test these changes?

  • Verified that user can subscribe to a model with both public and owner read using API key, whether they are signed in or not, and receive all events for that model. The same user can also subscribe using cognito user pools (only when signed in) to receive only the events for models they create.

Documentation update required?

  • No
  • Yes (Please include a PR link for the documentation update)

General Checklist

  • Added Unit Tests
  • Added Integration Tests
  • Security oriented best practices and standards are followed (e.g. using input sanitization, principle of least privilege, etc)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@mattcreaser mattcreaser force-pushed the mattcreaser/api-subscription-auth branch from b470dc9 to 9d9703d Compare May 22, 2024 18:31
@mattcreaser mattcreaser force-pushed the mattcreaser/api-subscription-auth branch from 96776eb to 5b3184f Compare June 14, 2024 15:50
@mattcreaser mattcreaser marked this pull request as ready for review June 14, 2024 15:51
@mattcreaser mattcreaser requested a review from a team as a code owner June 14, 2024 15:51
@mattcreaser mattcreaser enabled auto-merge (squash) July 10, 2024 13:37
@mattcreaser mattcreaser merged commit 68c40e1 into main Jul 10, 2024
3 checks passed
@mattcreaser mattcreaser deleted the mattcreaser/api-subscription-auth branch July 10, 2024 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lawmicha lawmicha lawmicha approved these changes

@vincetran vincetran vincetran approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mattcreaser @vincetran @lawmicha