DataStore multi-auth is not working with mixed owner and public auth rules

[HuiSF]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin

Amplify Categories

DataStore

Gradle script dependencies

// Put output below this line

Environment information

# Put output below this line

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

Original issue: aws-amplify/amplify-flutter#2527 | aws-amplify/amplify-flutter#1693
Related amplify-swift issue: aws-amplify/amplify-swift#2873

DataStore multi-auth is not working as expected.

Take schema

type UserProfile @model @auth(rules: [{ allow: owner }]) {
  id: ID!
  name: String!
}

type ModelA @model @auth(rules: [{ allow: public, provider: apiKey }]) {
  id: ID!
  content: String
}

type ModelB
  @model
  @auth(
    rules: [
      { allow: public, provider: apiKey, operations: [read] }
      { allow: owner }
    ]
  ) {
  id: ID!
  content: String
}

type ModelC
  @model
  @auth(
    rules: [
      { allow: public, provider: apiKey, operations: [read] }
      { allow: private, provider: userPools }
    ]
  ) {
  id: ID!
  content: String
}

When configure DataStore to use multi-auth mode with NO authenticated session:

Expected Behavior

As a developer, I want my end users to have read access to Model A B and C, including receiving subscription events.

models	sync queries	subscriptions
UserProfile	No	No
ModelA	Yes	Yes
ModelB	Yes	Yes
ModelC	Yes	Yes

Actual Behavior

models	sync queries	subscriptions
UserProfile	No	No
ModelA	No	No
ModelB	No	No
ModelC	No	No

What happened: with amplify-android, it attempted to create subscription for UserProfile , when there was no authenticated user session, the subscription failed, and put DataStore into the LOCAL_ONLY mode. The should-be-allowed read operations on other models were not working. This make the multi-auth mode unusable.

Reproduction steps (if applicable)

1. Use above schema example to setup datastore + API sync + auth (default Cognito User Pool + API key as additional auth mode)
2. Start DataStore without signing a user and watch the sync behavior
3. Sign in a user, start DataStore and watch the sync behavior

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

amplifyconfiguration.json

No response

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

[mattcreaser]

I've verified this error and will look into it.

[mattcreaser]

Okay so it looks like what is happening in this case is that in the MultiAuthSubscriptionOperation once all the auth modes are exhausted it emits a generic ApiException. Meanwhile, back in DataStore, the SubscriptionProcessor will ignore Unauthorized errors from GraphQL, but the generic error instead falls into the failure logic that cancels everything.

Seems like we need a two part fix here:

• When auth modes are exhausted the API category should emit an exception that explicitly indicates what happened.
• DataStore should ignore this error type for the purposes of establishing subscriptions.

[mattcreaser]

This fix was released in Amplify Android 2.12.0!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.