Only Update Data fails with error: "Unauthorized on [owner]" but owner is defined to be allowed to CRUD on resource.ts

[fujimonfn]

Description

**Summary: **
For data with fields and authorizations defined as follows, create, read, and delete succeed, but only update fails.

DeviceTokenData: a
.model({
id: a.id().required(),
owner: a.string().authorization((allow) => [allow.owner().to(['read', 'delete'])]),
deviceToken: a.string().required(),
})
.secondaryIndexes((index) => [
index('owner')
])
.authorization((allow) => [allow.owner()]),

Background:
We built a data model to store device tokens for sending push notifications.
To define a secondary index on the owner, we defined an “owner” field that does not need to be explicitly defined, and only for this field we defined a field-level authorization for this field only at the field level.

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Notifications (Push)
• Storage

Steps to Reproduce

1. Define model like this. Make sure to set default auth mode "userPool".

DeviceTokenData: a
.model({
id: a.id().required(),
owner: a.string().authorization((allow) => [allow.owner().to(['read', 'delete'])]),
deviceToken: a.string().required(),
})
.secondaryIndexes((index) => [
index('owner')
])
.authorization((allow) => [allow.owner()]),

2. implement Update
   // get record first
   final queryRequest = ModelQueries.get(
   DeviceTokenData.classType,
   DeviceTokenDataModelIdentifier(id: deviceId),
   );
   final queryResponse = await Amplify.API.query(request: queryRequest).response;
   // then update
   final newDeviceTokenData = queryResponse.data!.copyWith(deviceToken: deviceToken);
   final updateRequest = ModelMutations.update(
   newDeviceTokenData
   );
   final updateResponse = await Amplify.API.mutate(request: updateRequest).response;
   if (updateResponse.errors.isNotEmpty) {
   logger.e('Update failed: ${updateResponse.errors.map((e) => 'Message: ${e.message}, ErrorType: ${e.errorType}').join('\n')}');
   return;
   }

Update failed: Message: Unauthorized on [owner], ErrorType: Unauthorized<…>

Screenshots

No response

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.24.4

Amplify Flutter Version

2.5.0

Deployment Method

Amplify Gen 2

Schema

const schema = a
    .schema({
        DeviceTokenData: a
            .model({
                id: a.id().required(),
                owner: a.string().authorization((allow) => [allow.owner().to(['read', 'delete'])]),
                deviceToken: a.string().required(),
            })
            .secondaryIndexes((index) => [
                index('owner')
            ])
            .authorization((allow) => [allow.owner()]),
    })
    .authorization((allow) => [
        allow.publicApiKey().to([]),
    ]);

export type Schema = ClientSchema<typeof schema>;

export const data = defineData({
    schema,
    authorizationModes: {
        defaultAuthorizationMode: 'userPool',
        apiKeyAuthorizationMode: {
            expiresInDays: 7,
        },
    },
});

[tyllark]

Hello @fujimonfn, thank you for taking the time to open this issue. We will investigate and get back to you.