DataStore does not sync if using owner @auth and API auth default is API_KEY

[smithad15]

This is more of an observation of behaviour that could either be considered a bug, or a lack of clear documentation. Either way, it might be useful to others or the team.

I was converting an existing application from the AppSync SDK to DataStore. This application had been built out through successive prototyping stages. I started out with a basic GraphQL API (which utilized an API key) and the AppSync SDK, then added Cognito and more specific authentication rules, primarily public, groups (for Admins), and owner. When running amplify update api to change the auth providers, I added Cognito but kept the primary auth as API_KEY. This seemed to make the most sense since most of my API is public for reads and it seemed like everything worked for the raw GraphQL operations.

When I converted one of my models to utilize DataStore, everything was working fine locally on the client, but the changes were not being synced to DynamoDB. This was after following all of the steps to adjust my API and code properly to enable sync. After stumbling around through GitHub issues, I eventually found Amplify.Logger.LOG_LEVEL = 'DEBUG'; which showed that I was getting an unauthorized access error on the model that had the owner auth rule for the sync query. This error, which was very hard to find, was preventing all syncing of data between the client and cloud for all models, not just the one affected.

After stumbling on this comment (#5898 (comment)) I tried switching the primary authentication mechanism from API to Cognito. That worked!

While I seem to have solved the problem for myself, there are some issues here for others who might find themselves in the same spot.

1. It seems counterintuitive that an access error on one model completely breaks the ability for all other models to sync their data properly. Considering that each one is a separate set of GraphQL queries, I would expect other models to work correctly if there are not any errors

2. The requirement that the primary auth method of the API be changed to Cognito for owner auth rules is not clear. Either this needs to be clearly documented somewhere, or the code needs to be more flexible to allow this use case since there is no explicit mechanism to specify (as in the Amplify GraphQL client) or switch between (as in the AppSync SDK) different auth provider models.

Hope this helps

[elorzafe]

@smithad15 this is great feedback I will take a look into this problem

[amhinson]

@smithad15 We have made some updates recently to DataStore that should enable models to continue syncing if one fails. If you happen to have some time to test, it'd be great to see if that part of your issue is resolved.

We are also working on making DataStore more compatible with multiple configured auth types, and this is great feedback.

[smithad15]

Glad to hear that there is progress being made on resiliency and the feedback was useful. Unfortunately, I had to roll back the inclusion of DataStore in my project due to its lack of support for many-to-many relationships (#5054)

[amhinson]

Ok good to know! We are also planning support for that soon, so keep an eye out 🙂

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.