fix: Multiple custom operation group auth definition of custom type (revisited) (#575)

Author: stocaaro

.changeset/silly-toes-stare.md

@@ -0,0 +1,5 @@
+---
+'@aws-amplify/data-schema': patch
+---
+
+fix duplicate authorizations for custom types used in multiple custom operations

packages/data-schema/__tests__/CustomOperations.test.ts

@@ -1841,7 +1841,7 @@ describe('custom operations + custom type auth inheritance', () => {
     expect(result).toMatchSnapshot();
     expect(result).toEqual(
       expect.stringContaining(
-        'type QueryReturn @aws_api_key @aws_cognito_user_pools @aws_cognito_user_pools(cognito_groups: ["admin", "superAdmin"]) @aws_iam',
+        'type QueryReturn @aws_api_key @aws_cognito_user_pools @aws_iam @aws_cognito_user_pools(cognito_groups: ["admin", "superAdmin"])',
       ),
     );
   });

packages/data-schema/__tests__/ModelType.test.ts

@@ -231,6 +231,57 @@ describe('model auth rules', () => {
     expect(graphql).toMatchSnapshot();
   });
 
+  it(`can deduplicate authorization prevent errors from auth defined by multiple custom operations`, () => {
+    const schema = a.schema({
+      CustomType: a.customType({
+        id: a.string().required(),
+        name: a.string().required(),
+      }),
+      getSomething: a
+        .query()
+        .arguments({
+          arg1: a.string().required(),
+        })
+        .returns(a.ref("CustomType").required().array().required())
+        .handler(a.handler.function('exampleFunc'))
+        .authorization((allow) => [
+          allow.group("Admin"),
+          allow.publicApiKey(),
+          allow.authenticated(),
+          allow.guest(),
+          allow.authenticated('identityPool')
+        ]),
+      getSomething2: a
+        .query()
+        .arguments({
+          arg1: a.string().required(),
+        })
+        .returns(a.ref("CustomType").required().array().required())
+        .handler(a.handler.function('exampleFunc'))
+        .authorization((allow) => [
+          allow.groups(["Admin", 'User']),
+          allow.publicApiKey(),
+        ]),
+      getSomething3: a
+        .query()
+        .arguments({
+          arg1: a.string().required(),
+        })
+        .returns(a.ref("CustomType").required().array().required())
+        .handler(a.handler.function('exampleFunc'))
+        .authorization((allow) => [allow.groups(["Admin", "User"])])
+    });
+
+    const graphql = schema.transform().schema;
+    expect(graphql).toMatchSnapshot();
+
+    expect(graphql).toEqual(
+      expect.stringContaining(
+        'type CustomType @aws_api_key @aws_cognito_user_pools @aws_iam @aws_cognito_user_pools(cognito_groups: ["Admin", "User"])',
+      ),
+    );
+  });
+
   it(`can create a "multiple owners" rule on an implied (auto-created) field`, () => {
     const schema = a.schema({
       widget: a

packages/data-schema/__tests__/__snapshots__/CustomOperations.test.ts.snap

@@ -970,7 +970,7 @@ type Query {
 `;
 
 exports[`custom operations + custom type auth inheritance op returns top-level custom type with all supported auth modes 1`] = `
-"type QueryReturn @aws_api_key @aws_cognito_user_pools @aws_cognito_user_pools(cognito_groups: ["admin", "superAdmin"]) @aws_iam
+"type QueryReturn @aws_api_key @aws_cognito_user_pools @aws_iam @aws_cognito_user_pools(cognito_groups: ["admin", "superAdmin"])
 {
   fieldA: String
   fieldB: Int

packages/data-schema/__tests__/__snapshots__/ModelType.test.ts.snap

@@ -136,6 +136,25 @@ exports[`model auth rules can create a static Admins group rule 1`] = `
 }"
 `;
 
+exports[`model auth rules can deduplicate authorization prevent errors from auth defined by multiple custom operations 1`] = `
+"type CustomType @aws_api_key @aws_cognito_user_pools @aws_iam @aws_cognito_user_pools(cognito_groups: ["Admin", "User"])
+{
+  id: String!
+  name: String!
+}
+
+type Query {
+  getSomething(arg1: String!): [CustomType!]! @function(name: "exampleFunc") @auth(rules: [{allow: groups, groups: ["Admin"]},
+  {allow: public, provider: apiKey},
+  {allow: private},
+  {allow: public, provider: iam},
+  {allow: private, provider: iam}])
+  getSomething2(arg1: String!): [CustomType!]! @function(name: "exampleFunc") @auth(rules: [{allow: groups, groups: ["Admin", "User"]},
+  {allow: public, provider: apiKey}])
+  getSomething3(arg1: String!): [CustomType!]! @function(name: "exampleFunc") @auth(rules: [{allow: groups, groups: ["Admin", "User"]}])
+}"
+`;
+
 exports[`model auth rules can define a custom authorization rule 1`] = `
 "type Widget @model @auth(rules: [{allow: custom}])
 {

packages/data-schema/src/SchemaProcessor.ts

@@ -913,17 +913,16 @@ function mapToNativeAppSyncAuthDirectives(
     } else {
       rules.add(provider);
     }
-
-    groupProvider.forEach((groups, provider) => {
-      rules.add(
-        `${provider}(cognito_groups: [${Array.from(groups)
-          .map((group) => `"${group}"`)
-          .join(', ')}])`,
-      );
-      // example: (cognito_groups: ["Bloggers", "Readers"])
-    })
   }
 
+  groupProvider.forEach((groups, provider) => {
+    rules.add(
+      `${provider}(cognito_groups: [${Array.from(groups)
+        .map((group) => `"${group}"`)
+        .join(', ')}])`,
+    );
+    // example: (cognito_groups: ["Bloggers", "Readers"])
+  })
 
   const authString = [...rules].join(' ');