From 5ced5139e991db7e0e741b4668020b125d0e4a08 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Thu, 20 Jun 2024 17:14:02 -0400 Subject: [PATCH 01/19] add warning regarding subscription and mutation redaction of relational fields --- .../data/data-modeling/relationships/index.mdx | 14 +++++++++++++- .../data/subscribe-data/index.mdx | 12 ++++++++++++ .../graphqlapi/data-modeling/index.mdx | 18 +++++++++++++++--- .../graphqlapi/subscribe-data/index.mdx | 12 ++++++++++++ 4 files changed, 52 insertions(+), 4 deletions(-) diff --git a/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx b/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx index 5a36e4a1ba1..90ac2483221 100644 --- a/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx @@ -24,7 +24,7 @@ export const getStaticPaths = async () => { export function getStaticProps(context) { return { props: { - + meta } }; @@ -32,6 +32,18 @@ export function getStaticProps(context) { When modeling application data, you often need to establish relationships between different data models. In Amplify Data, you can create one-to-many, one-to-one, and many-to-many relationships in your Data schema. On the client-side, Amplify Data allows you to lazy or eager load of related data. + +With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. + +This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. + +Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. + +If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. + +Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + + ## Types of relationships |Relationship|Code|Description|Example| diff --git a/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx b/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx index 93591efd0da..880e6a9b993 100644 --- a/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx @@ -38,6 +38,18 @@ Before you begin, you will need: - An [application connected to the API](/[platform]/build-a-backend/data/connect-to-API/) - Data already created to modify + +With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. + +This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. + +Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. + +If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. + +Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + + ## Set up a real-time list query The recommended way to fetch a list of data is to use `observeQuery` to get a real-time list of your app data at all times. You can integrate `observeQuery` with React's `useState` and `useEffect` hooks in the following way: diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx index eea49006a3d..067231d4b83 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx @@ -292,6 +292,18 @@ Create "has one", "has many", "belongs to", and "many to many" relationships bet | `@belongsTo` | Use a "belongs to" relationship to make a "has one" or "has many" relationship bi-directional. For example, a Project has one Team and a Team belongs to a Project. This allows you to query the team from the project record and vice versa. | | `@manyToMany` | Configures a "join table" between two models to facilitate a many-to-many relationship. For example, a Blog has many Tags and a Tag has many Blogs. | + +With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. + +This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. + +Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. + +If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. + +Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + + ### Has One relationship import gqlv2callout from '/src/fragments/cli/gqlv2callout.mdx'; @@ -794,11 +806,11 @@ You can use the `@default` directive to specify a default value for optional [sc ```graphql type Todo @model { content: String @default(value: "My new Todo") - # Note: all "value" parameters must be passed as a string value. + # Note: all "value" parameters must be passed as a string value. # Under the hood, Amplify will parse the string values into respective types. - # For example, to set a default value for an integer field, + # For example, to set a default value for an integer field, # you must pass in `"0"` instead of `0` without the double-quotes. - likes: Int @default(value: "0") # + likes: Int @default(value: "0") # } ``` diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx index 50adb8b5abf..681f8ac60e7 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx @@ -49,6 +49,18 @@ Before you begin, you will need: + +With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. + +This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. + +Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. + +If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. + +Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + + ## Set up a real-time subscription Subscriptions is a GraphQL feature that allows the server to send data to its clients when a specific event happens. For example, you can subscribe to an event when a new record is created, updated, or deleted through the API. You can enable real-time data integration in your app with a subscription. From a08972619115f5d1bb68ceebe0a6f3cd42028b34 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 21 Jun 2024 12:44:59 -0400 Subject: [PATCH 02/19] replace authn with authz in warning --- .../build-a-backend/data/data-modeling/relationships/index.mdx | 2 +- .../[platform]/build-a-backend/data/subscribe-data/index.mdx | 2 +- .../build-a-backend/graphqlapi/data-modeling/index.mdx | 2 +- .../build-a-backend/graphqlapi/subscribe-data/index.mdx | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx b/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx index 90ac2483221..28b03a3a38a 100644 --- a/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx @@ -41,7 +41,7 @@ Because subscriptions are tied to mutations and the selection set provided in th If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. -Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. +Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. ## Types of relationships diff --git a/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx b/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx index 880e6a9b993..9b9bae361f5 100644 --- a/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx @@ -47,7 +47,7 @@ Because subscriptions are tied to mutations and the selection set provided in th If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. -Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. +Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. ## Set up a real-time list query diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx index 067231d4b83..f569aed3256 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx @@ -301,7 +301,7 @@ Because subscriptions are tied to mutations and the selection set provided in th If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. -Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. +Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. ### Has One relationship diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx index 681f8ac60e7..31b47e50acc 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx @@ -58,7 +58,7 @@ Because subscriptions are tied to mutations and the selection set provided in th If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. -Additionally, subscriptions will inherit related authentication when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. +Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. ## Set up a real-time subscription From 7e7b870d6e5025230637270c05d0ad60080211f4 Mon Sep 17 00:00:00 2001 From: Michael Law <1365977+lawmicha@users.noreply.github.com> Date: Mon, 24 Jun 2024 12:25:19 -0400 Subject: [PATCH 03/19] chore(api): Callout for field redaction on Swift Android relational models --- .../graphqlapi/relational-models/index.mdx | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx index 59813b96137..b9dbd461c90 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx @@ -29,6 +29,24 @@ API (GraphQL) has the capability to handle relationships between Models, such as By default, GraphQL APIs requests generate a selection set with a depth of 0. Connected relationship models are not returned in the initial request, but can be lazily loaded as needed with an additional API request. We provide mechanisms to customize the selection set, which allows connected relationships to be eagerly loaded on the initial request. + + +With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. + +This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. + +Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. + +If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. + +Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + +- **Lazy and Eager Loading**: Lazy and eager loading for has-one and belongs-to relationships is no longer supported for Mutations and Subscriptions. However, you can continue to perform eager or lazy loading for Query requests and for has-many relationships. + +- **Subscriptions and Related Models**: When performing a subscription and you need to retrieve the related model, perform a lazy or eager loaded query using the model identifier from the subscription event to continue to retrieve the related data. + + + ## Prerequisites The following examples have a minimum version requirement of the following: From 19a0c682b38d5cb27272da577a31aea10ae9147f Mon Sep 17 00:00:00 2001 From: Michael Law <1365977+lawmicha@users.noreply.github.com> Date: Mon, 24 Jun 2024 16:40:50 -0400 Subject: [PATCH 04/19] Update src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx --- .../build-a-backend/graphqlapi/relational-models/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx index b9dbd461c90..c1d2b5a712d 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx @@ -41,7 +41,7 @@ If an authorized end-user needs access to the redacted relational fields, they s Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. -- **Lazy and Eager Loading**: Lazy and eager loading for has-one and belongs-to relationships is no longer supported for Mutations and Subscriptions. However, you can continue to perform eager or lazy loading for Query requests and for has-many relationships. +- **Lazy and Eager Loading**: Lazy and eager loading relationships is no longer supported for Mutations and Subscriptions. However, you can continue to perform eager or lazy loading for Queries. - **Subscriptions and Related Models**: When performing a subscription and you need to retrieve the related model, perform a lazy or eager loaded query using the model identifier from the subscription event to continue to retrieve the related data. From 3e58b37e2f93449cb7c7bcfa72a91cbdb3c0af76 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Mon, 24 Jun 2024 18:43:09 -0400 Subject: [PATCH 05/19] add feature flag to warning for gen 1 --- .../build-a-backend/graphqlapi/data-modeling/index.mdx | 7 +++++++ .../build-a-backend/graphqlapi/relational-models/index.mdx | 6 ++++++ .../build-a-backend/graphqlapi/subscribe-data/index.mdx | 7 +++++++ 3 files changed, 20 insertions(+) diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx index f569aed3256..29090369553 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx @@ -302,6 +302,13 @@ Because subscriptions are tied to mutations and the selection set provided in th If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + +Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. +To do so, use the `subscriptionsInheritPrimaryAuth` feature flag under `graphqltransformer` in the `amplify/backend/cli.json` file. + +- If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. +- If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models. + ### Has One relationship diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx index c1d2b5a712d..ed7851b5522 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/relational-models/index.mdx @@ -45,6 +45,12 @@ Additionally, subscriptions will inherit related authorization when relational f - **Subscriptions and Related Models**: When performing a subscription and you need to retrieve the related model, perform a lazy or eager loaded query using the model identifier from the subscription event to continue to retrieve the related data. +Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. +To do so, use the `subscriptionsInheritPrimaryAuth` feature flag under `graphqltransformer` in the `amplify/backend/cli.json` file. + +- If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. +- If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models. + ## Prerequisites diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx index 31b47e50acc..8da31bb86e9 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx @@ -59,6 +59,13 @@ Because subscriptions are tied to mutations and the selection set provided in th If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + +Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. +To do so, use the `subscriptionsInheritPrimaryAuth` feature flag under `graphqltransformer` in the `amplify/backend/cli.json` file. + +- If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. +- If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models. + ## Set up a real-time subscription From 3176079896e4f5e94fb454ae5f49a64d19f9166e Mon Sep 17 00:00:00 2001 From: Heather Date: Fri, 28 Jun 2024 13:16:57 -0400 Subject: [PATCH 06/19] Fix heading order in fragments affecting this page --- src/fragments/lib/graphqlapi/flutter/subscribe-data.mdx | 2 +- src/fragments/lib/graphqlapi/ios/subscribe-data.mdx | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/fragments/lib/graphqlapi/flutter/subscribe-data.mdx b/src/fragments/lib/graphqlapi/flutter/subscribe-data.mdx index 94f62434e52..a27c521b8ff 100644 --- a/src/fragments/lib/graphqlapi/flutter/subscribe-data.mdx +++ b/src/fragments/lib/graphqlapi/flutter/subscribe-data.mdx @@ -76,7 +76,7 @@ Amplify.Hub.listen( ); ``` -#### SubscriptionStatus +### SubscriptionStatus - **`connected`** - Connected and working with no issues - **`connecting`** - Attempting to connect (both initial connection and reconnection) diff --git a/src/fragments/lib/graphqlapi/ios/subscribe-data.mdx b/src/fragments/lib/graphqlapi/ios/subscribe-data.mdx index 8aed3a7d48a..72008794ea5 100644 --- a/src/fragments/lib/graphqlapi/ios/subscribe-data.mdx +++ b/src/fragments/lib/graphqlapi/ios/subscribe-data.mdx @@ -87,9 +87,9 @@ func createSubscription() { -### Unsubscribing from updates +## Unsubscribing from updates -#### Async/Await +### Async/Await To unsubscribe from updates, you can call `cancel()` on the subscription. @@ -100,7 +100,7 @@ func cancelSubscription() { } ``` -#### Combine +### Combine Calling `cancel()` on the sequence will disconnect the subscription from the backend. Any downstream subscribers will also be cancelled. From 0d02cbfc6be5e6ee11200b687ab002d465909122 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 15:55:37 -0400 Subject: [PATCH 07/19] add protected redaction message components --- .../ProtectedRedactionMessage/index.tsx | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 src/protected/ProtectedRedactionMessage/index.tsx diff --git a/src/protected/ProtectedRedactionMessage/index.tsx b/src/protected/ProtectedRedactionMessage/index.tsx new file mode 100644 index 00000000000..1bf980f7c0e --- /dev/null +++ b/src/protected/ProtectedRedactionMessage/index.tsx @@ -0,0 +1,37 @@ +import { Callout } from '@/components/Callout'; + +export const PROTECTED_REDACTION_GEN1_MESSAGE = `With versions of Amplify CLI \`@aws-amplify/cli@12.12.2\` and API Category \`@aws-amplify/amplify-category-api@5.11.5\`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. + + This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. + + Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. + + If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. + + Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. + + Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. + To do so, use the \`subscriptionsInheritPrimaryAuth\` feature flag under \`graphqltransformer\` in the \`amplify/backend/cli.json\` file. + + - If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. + - If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models.`; + +export const PROTECTED_REDACTION_GEN2_MESSAGE = `With Amplify Data Construct \`@aws-amplify/data-construct@1.8.4\`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. + + This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. + + Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. + + If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. + + Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields.`; + +// WARNING: The messaging in this component should NOT be changed without the appropriate approvals +export const ProtectedRedactionGen1Message = () => ( + {PROTECTED_REDACTION_GEN1_MESSAGE} +); + +// WARNING: The messaging in this component should NOT be changed without the appropriate approvals +export const ProtectedRedactionGen2Message = () => ( + {PROTECTED_REDACTION_GEN2_MESSAGE} +); From ac07c2c043531ca6ee3ab40e4fd7f950480b9c63 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:49:23 -0400 Subject: [PATCH 08/19] Add tests for redaction message Gen 1 and Gen 2 components --- .../ProtectedRedactionMessage.test.tsx | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx diff --git a/src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx b/src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx new file mode 100644 index 00000000000..97a1535a657 --- /dev/null +++ b/src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx @@ -0,0 +1,87 @@ +import * as React from 'react'; +import { render } from '@testing-library/react'; +import { + ProtectedRedactionGen1Message, + ProtectedRedactionGen2Message +} from '../index'; +import fs from 'fs'; + +// REALTIME DATA +const GEN1_V5_REALTIME_DATA_PAGE_PATH = + 'src/pages/gen1/[platform]/prev/build-a-backend/graphqlapi/subscribe-data/index.mdx'; + +const GEN1_V6_REALTIME_DATA_PAGE_PATH = + 'src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx'; + +const GEN2_REALTIME_DATA_PAGE_PATH = + 'src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx'; + +// DATA MODELING + +const GEN1_V6_DATA_MODELING_PAGE_PATH = + 'src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx'; + +const GEN2_DATA_MODELING_PAGE_PATH = + 'src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx'; + +describe('Protected Redaction Messages', () => { + /* + This test is to ensure that the ProtectedRedactionGen1Message component appears on the Gen 1 realtime data pages and cannot be removed or modified without approval. + */ + it('should render ProtectedRedactionGen1Message component on the Gen 1 V5 realtime data page', async () => { + const pageData = fs.readFileSync(GEN1_V5_REALTIME_DATA_PAGE_PATH, { + encoding: 'utf8' + }); + expect(pageData).toMatch(//); + }); + + it('should render ProtectedRedactionGen1Message component on the Gen 1 V6 realtime data page', async () => { + const pageData = fs.readFileSync(GEN1_V6_REALTIME_DATA_PAGE_PATH, { + encoding: 'utf8' + }); + expect(pageData).toMatch(//); + }); + + it('should render ProtectedRedactionGen1Message component on the Gen 2 realtime data page', async () => { + const pageData = fs.readFileSync(GEN2_REALTIME_DATA_PAGE_PATH, { + encoding: 'utf8' + }); + expect(pageData).toMatch(//); + }); + + it('should render ProtectedRedactionGen1Message component on the Gen 1 V6 data modeling page', async () => { + const pageData = fs.readFileSync(GEN1_V6_DATA_MODELING_PAGE_PATH, { + encoding: 'utf8' + }); + expect(pageData).toMatch(//); + }); + + it('should render ProtectedRedactionGen1Message component on the Gen 2 data modeling page', async () => { + const pageData = fs.readFileSync(GEN2_DATA_MODELING_PAGE_PATH, { + encoding: 'utf8' + }); + expect(pageData).toMatch(//); + }); + + /* + This test is to ensure that the messaging on the ProtectedRedactionGen1Message component does not change + and cannot be removed or modified without approval. + */ + it('should render the protected redaction message for Gen 1', async () => { + const { container } = render(); + + // const protectedNode = await screen.findByText( + // PROTECTED_REDACTION_GEN1_MESSAGE + // ); + expect(container.firstChild).toMatchSnapshot(); + }); + + it('should render the protected redaction message for Gen 2', async () => { + const { container } = render(); + + // const protectedNode = await screen.findByText( + // PROTECTED_REDACTION_GEN1_MESSAGE + // ); + expect(container.firstChild).toMatchSnapshot(); + }); +}); From 8bf40370aba6b11a80b047207bd06db4738a4c43 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:49:54 -0400 Subject: [PATCH 09/19] add snapshots for redaction Gen 1 and Gen 2 component tests --- .../ProtectedRedactionMessage.test.tsx.snap | 137 ++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 src/protected/ProtectedRedactionMessage/__tests__/__snapshots__/ProtectedRedactionMessage.test.tsx.snap diff --git a/src/protected/ProtectedRedactionMessage/__tests__/__snapshots__/ProtectedRedactionMessage.test.tsx.snap b/src/protected/ProtectedRedactionMessage/__tests__/__snapshots__/ProtectedRedactionMessage.test.tsx.snap new file mode 100644 index 00000000000..42d72237658 --- /dev/null +++ b/src/protected/ProtectedRedactionMessage/__tests__/__snapshots__/ProtectedRedactionMessage.test.tsx.snap @@ -0,0 +1,137 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`Protected Redaction Messages should render the protected redaction message for Gen 1 1`] = ` +
+ +
+
+

+ With versions of Amplify CLI + + @aws-amplify/cli@12.12.2 + + and API Category + + @aws-amplify/amplify-category-api@5.11.5 + + , an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. +

+

+ Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. +

+

+ If an authorized end-user needs access to the redacted relational field they should perform a query to read the relational data. +

+

+ Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. +

+

+ Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. +

+

+ To do so, use the + + subscriptionsInheritPrimaryAuth + + feature flag under + + graphqltransformer + + in the + + + amplify/backend/cli.json + + file. +

+
    +
  • + If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. +
    • +
  • + If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models. +
    • +
+
+
+
+`; + +exports[`Protected Redaction Messages should render the protected redaction message for Gen 2 1`] = ` +
+ +
+
+

+ With Amplify Data Construct + + @aws-amplify/data-construct@1.8.4 + + , an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. +

+

+ This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. +

+

+ Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. +

+

+ If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. +

+

+ Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. +

+
+
+
+`; From ec05139c094063fc81794f16b51e2f655abb2076 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:50:18 -0400 Subject: [PATCH 10/19] Adds ProtectedRedactionMessage components for Gen 1 and Gen2 --- .../ProtectedRedactionMessage/index.tsx | 103 +++++++++++++----- 1 file changed, 75 insertions(+), 28 deletions(-) diff --git a/src/protected/ProtectedRedactionMessage/index.tsx b/src/protected/ProtectedRedactionMessage/index.tsx index 1bf980f7c0e..c4180a29e42 100644 --- a/src/protected/ProtectedRedactionMessage/index.tsx +++ b/src/protected/ProtectedRedactionMessage/index.tsx @@ -1,37 +1,84 @@ import { Callout } from '@/components/Callout'; -export const PROTECTED_REDACTION_GEN1_MESSAGE = `With versions of Amplify CLI \`@aws-amplify/cli@12.12.2\` and API Category \`@aws-amplify/amplify-category-api@5.11.5\`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. - - This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. - - Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. - - If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. - - Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. - - Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. - To do so, use the \`subscriptionsInheritPrimaryAuth\` feature flag under \`graphqltransformer\` in the \`amplify/backend/cli.json\` file. - - - If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. - - If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models.`; - -export const PROTECTED_REDACTION_GEN2_MESSAGE = `With Amplify Data Construct \`@aws-amplify/data-construct@1.8.4\`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. - - This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. - - Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. - - If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. - - Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields.`; - // WARNING: The messaging in this component should NOT be changed without the appropriate approvals export const ProtectedRedactionGen1Message = () => ( - {PROTECTED_REDACTION_GEN1_MESSAGE} + +

+ With versions of Amplify CLI @aws-amplify/cli@12.12.2 and API + Category + @aws-amplify/amplify-category-api@5.11.5, an improvement was + made to how relational field data is handled in subscriptions when + different authorization rules apply to related models in a schema. The + improvement redacts the values for the relational fields, displaying them + as null or empty, to prevent unauthorized access to relational data. This + redaction occurs whenever it cannot be determined that the child model + will be protected by the same permissions as the parent model. +

+

+ Because subscriptions are tied to mutations and the selection set provided + in the result of a mutation is then passed through to the subscription, + relational fields in the result of mutations must be redacted. +

+

+ If an authorized end-user needs access to the redacted relational field + they should perform a query to read the relational data. +

+

+ Additionally, subscriptions will inherit related authorization when + relational fields are set as required. To better protect relational data, + consider modifying the schema to use optional relational fields. +

+

+ Based on the security posture of your application, you can choose to + revert to the subscription behavior before this improvement was made. +

+

+ To do so, use the subscriptionsInheritPrimaryAuth feature + flag under graphqltransformer in the{' '} + amplify/backend/cli.json file. +

+
    +
  • + If enabled, subscriptions will inherit the primary model authorization + rules for the relational fields. +
    • +
  • + If disabled, relational fields will be redacted in mutation response + when there is a difference between auth rules between primary and + related models. +
    • +
+ ); // WARNING: The messaging in this component should NOT be changed without the appropriate approvals export const ProtectedRedactionGen2Message = () => ( - {PROTECTED_REDACTION_GEN2_MESSAGE} + +

+ With Amplify Data Construct @aws-amplify/data-construct@1.8.4 + , an improvement was made to how relational field data is handled in + subscriptions when different authorization rules apply to related models + in a schema. The improvement redacts the values for the relational fields, + displaying them as null or empty, to prevent unauthorized access to + relational data. +

+

+ This redaction occurs whenever it cannot be determined that the child + model will be protected by the same permissions as the parent model. +

+

+ Because subscriptions are tied to mutations and the selection set provided + in the result of a mutation is then passed through to the subscription, + relational fields in the result of mutations must be redacted. +

+

+ If an authorized end-user needs access to the redacted relational fields, + they should perform a query to read the relational data. +

+

+ Additionally, subscriptions will inherit related authorization when + relational fields are set as required. To better protect relational data, + consider modifying the schema to use optional relational fields. +

+ ); From 1045efb1e27a59334e6ce1436d2d8aac5b129bd0 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:50:53 -0400 Subject: [PATCH 11/19] Render ProtectedRedactionGen1Message component on Gen 1 realtime page --- .../graphqlapi/subscribe-data/index.mdx | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx index 8da31bb86e9..51af5300967 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/subscribe-data/index.mdx @@ -49,24 +49,11 @@ Before you begin, you will need: - -With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. +{/* This component contains approved messaging and cannot be removed or modified without prior approval */} -This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. +import { ProtectedRedactionGen1Message } from "@/protected/ProtectedRedactionMessage" -Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. - -If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. - -Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. - -Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. -To do so, use the `subscriptionsInheritPrimaryAuth` feature flag under `graphqltransformer` in the `amplify/backend/cli.json` file. - -- If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. -- If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models. - - + ## Set up a real-time subscription From 2e540e16a4a40aa7c3eb0265c277407a14474859 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:51:09 -0400 Subject: [PATCH 12/19] Render ProtectedRedactionGen1Message component on Gen 2 data modeling page --- .../data/data-modeling/relationships/index.mdx | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx b/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx index 28b03a3a38a..e7d030c32fd 100644 --- a/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/data-modeling/relationships/index.mdx @@ -32,17 +32,11 @@ export function getStaticProps(context) { When modeling application data, you often need to establish relationships between different data models. In Amplify Data, you can create one-to-many, one-to-one, and many-to-many relationships in your Data schema. On the client-side, Amplify Data allows you to lazy or eager load of related data. - -With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. +{/* This component contains approved messaging and cannot be removed or modified without prior approval */} -This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. +import { ProtectedRedactionGen2Message } from "@/protected/ProtectedRedactionMessage" -Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. - -If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. - -Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. - + ## Types of relationships From 797f11631c3cb3f666fcfcdcb8ef22568e75841c Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:51:25 -0400 Subject: [PATCH 13/19] Render ProtectedRedactionGen2Message component on Gen 2 realtime page --- .../build-a-backend/data/subscribe-data/index.mdx | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx b/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx index 9b9bae361f5..58894b78cb0 100644 --- a/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx +++ b/src/pages/[platform]/build-a-backend/data/subscribe-data/index.mdx @@ -38,17 +38,11 @@ Before you begin, you will need: - An [application connected to the API](/[platform]/build-a-backend/data/connect-to-API/) - Data already created to modify - -With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. +{/* This component contains approved messaging and cannot be removed or modified without prior approval */} -This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. +import { ProtectedRedactionGen2Message } from "@/protected/ProtectedRedactionMessage" -Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. - -If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. - -Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. - + ## Set up a real-time list query From c35da8fefba09028dbe6da9e3196d3f96d69879f Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:51:52 -0400 Subject: [PATCH 14/19] Render ProtectedRedactionGen1Message component on Gen 1 data modeling page --- .../graphqlapi/data-modeling/index.mdx | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx index 29090369553..59c389676cb 100644 --- a/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx +++ b/src/pages/gen1/[platform]/build-a-backend/graphqlapi/data-modeling/index.mdx @@ -292,24 +292,11 @@ Create "has one", "has many", "belongs to", and "many to many" relationships bet | `@belongsTo` | Use a "belongs to" relationship to make a "has one" or "has many" relationship bi-directional. For example, a Project has one Team and a Team belongs to a Project. This allows you to query the team from the project record and vice versa. | | `@manyToMany` | Configures a "join table" between two models to facilitate a many-to-many relationship. For example, a Blog has many Tags and a Tag has many Blogs. | - -With versions of Amplify CLI `@aws-amplify/cli@12.12.2` and API Category `@aws-amplify/amplify-category-api@5.11.5`, an improvement was made to how relational field data is handled in subscriptions when different authorization rules apply to related models in a schema. The improvement redacts the values for the relational fields, displaying them as null or empty, to prevent unauthorized access to relational data. +{/* This component contains approved messaging and cannot be removed or modified without prior approval */} -This redaction occurs whenever it cannot be determined that the child model will be protected by the same permissions as the parent model. +import { ProtectedRedactionGen1Message } from "@/protected/ProtectedRedactionMessage" -Because subscriptions are tied to mutations and the selection set provided in the result of a mutation is then passed through to the subscription, relational fields in the result of mutations must be redacted. - -If an authorized end-user needs access to the redacted relational fields, they should perform a query to read the relational data. - -Additionally, subscriptions will inherit related authorization when relational fields are set as required. To better protect relational data, consider modifying the schema to use optional relational fields. - -Based on the security posture of your application, you can choose to revert to the subscription behavior before this improvement was made. -To do so, use the `subscriptionsInheritPrimaryAuth` feature flag under `graphqltransformer` in the `amplify/backend/cli.json` file. - -- If enabled, subscriptions will inherit the primary model authorization rules for the relational fields. -- If disabled, relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models. - - + ### Has One relationship From c9dbc638ce18a49196757f014eb845d255a46f0d Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 17:52:03 -0400 Subject: [PATCH 15/19] Render ProtectedRedactionGen1Message component on Gen 1 V5 realtime page --- .../build-a-backend/graphqlapi/subscribe-data/index.mdx | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/pages/gen1/[platform]/prev/build-a-backend/graphqlapi/subscribe-data/index.mdx b/src/pages/gen1/[platform]/prev/build-a-backend/graphqlapi/subscribe-data/index.mdx index 9fd2e89d703..0f758f8ec05 100644 --- a/src/pages/gen1/[platform]/prev/build-a-backend/graphqlapi/subscribe-data/index.mdx +++ b/src/pages/gen1/[platform]/prev/build-a-backend/graphqlapi/subscribe-data/index.mdx @@ -38,6 +38,12 @@ Before you begin, you will need: - An [application connected to the API](/gen1/[platform]/prev/build-a-backend/graphqlapi/connect-to-api/) - Data already created to modify +{/* This component contains approved messaging and cannot be removed or modified without prior approval */} + +import { ProtectedRedactionGen1Message } from "@/protected/ProtectedRedactionMessage" + + + ## Set up a real-time subscription Subscriptions is a GraphQL feature that allows the server to send data to its clients when a specific event happens. For example, you can subscribe to an event when a new record is created, updated, or deleted through the API. You can enable real-time data integration in your app with a subscription. From b9075146b70500e3c2d19d1b2961be602cb47e29 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 18:07:24 -0400 Subject: [PATCH 16/19] add subscriptionsInheritPrimaryAuth as a feature flag --- .../FeatureFlags/feature-flags.json | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/components/FeatureFlags/feature-flags.json b/src/components/FeatureFlags/feature-flags.json index a2e95d99bf9..1dc9bf90e8f 100644 --- a/src/components/FeatureFlags/feature-flags.json +++ b/src/components/FeatureFlags/feature-flags.json @@ -371,6 +371,26 @@ "defaultExistingProject": false } ] + }, + "subscriptionsInheritPrimaryAuth": { + "description": "Toggles whether subscriptions will inherit related authorization when relational fields are set as required", + "type": "Feature", + "valueType": "Boolean", + "versionAdded": "12.12.2", + "values": [ + { + "value": "true", + "description": "Subscriptions will inherit the primary model authorization rules for the relational fields", + "defaultNewProject": false, + "defaultExistingProject": true + }, + { + "value": "false", + "description": "Relational fields will be redacted in mutation response when there is a difference between auth rules between primary and related models.", + "defaultNewProject": true, + "defaultExistingProject": false + } + ] } } }, From 013d5ddea3f2b65bc63484d7f2cee1d46f153a96 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 19:02:28 -0400 Subject: [PATCH 17/19] correct version for subscriptionsInheritPrimaryAuth --- src/components/FeatureFlags/feature-flags.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/components/FeatureFlags/feature-flags.json b/src/components/FeatureFlags/feature-flags.json index 1dc9bf90e8f..73f774d3b88 100644 --- a/src/components/FeatureFlags/feature-flags.json +++ b/src/components/FeatureFlags/feature-flags.json @@ -376,7 +376,7 @@ "description": "Toggles whether subscriptions will inherit related authorization when relational fields are set as required", "type": "Feature", "valueType": "Boolean", - "versionAdded": "12.12.2", + "versionAdded": "12.12.4", "values": [ { "value": "true", From 22b6a18275c7644c2193ad77992cedcbd0a007d2 Mon Sep 17 00:00:00 2001 From: Chris Bonifacio Date: Fri, 28 Jun 2024 19:06:23 -0400 Subject: [PATCH 18/19] remove commented code --- .../__tests__/ProtectedRedactionMessage.test.tsx | 6 ------ 1 file changed, 6 deletions(-) diff --git a/src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx b/src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx index 97a1535a657..53ec88223b1 100644 --- a/src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx +++ b/src/protected/ProtectedRedactionMessage/__tests__/ProtectedRedactionMessage.test.tsx @@ -70,18 +70,12 @@ describe('Protected Redaction Messages', () => { it('should render the protected redaction message for Gen 1', async () => { const { container } = render(); - // const protectedNode = await screen.findByText( - // PROTECTED_REDACTION_GEN1_MESSAGE - // ); expect(container.firstChild).toMatchSnapshot(); }); it('should render the protected redaction message for Gen 2', async () => { const { container } = render(); - // const protectedNode = await screen.findByText( - // PROTECTED_REDACTION_GEN1_MESSAGE - // ); expect(container.firstChild).toMatchSnapshot(); }); }); From fbba8a16a9d9973698550c65fcfded35e440f3f7 Mon Sep 17 00:00:00 2001 From: katiegoines Date: Mon, 1 Jul 2024 12:20:08 -0400 Subject: [PATCH 19/19] fix heading order --- src/fragments/lib-v1/graphqlapi/ios/subscribe-data.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/fragments/lib-v1/graphqlapi/ios/subscribe-data.mdx b/src/fragments/lib-v1/graphqlapi/ios/subscribe-data.mdx index c4f51356633..ce1e4e01a2f 100644 --- a/src/fragments/lib-v1/graphqlapi/ios/subscribe-data.mdx +++ b/src/fragments/lib-v1/graphqlapi/ios/subscribe-data.mdx @@ -82,7 +82,7 @@ func createSubscription() { -### Unsubscribing from updates +## Unsubscribing from updates #### Listener (iOS 11+)