using owner in an identifier

[mainvtm]

Environment information

System:
  OS: Windows 10 10.0.19045
  CPU: (8) x64 Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz
  Memory: 17.07 GB / 31.96 GB
Binaries:
  Node: 22.12.0 - C:\Program Files\nodejs\node.EXE
  Yarn: 1.22.17 - ~\AppData\Roaming\npm\yarn.CMD
  npm: 9.6.4 - C:\Program Files\nodejs\npm.CMD
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.3.2
  @aws-amplify/backend: 1.5.1
  @aws-amplify/backend-auth: 1.2.0
  @aws-amplify/backend-cli: 1.3.0
  @aws-amplify/backend-data: 1.1.5
  @aws-amplify/backend-deployer: 1.1.5
  @aws-amplify/backend-function: 1.7.1
  @aws-amplify/backend-output-schemas: 1.4.0
  @aws-amplify/backend-output-storage: 1.1.2
  @aws-amplify/backend-secret: 1.1.4
  @aws-amplify/backend-storage: 1.2.1
  @aws-amplify/cli-core: 1.1.3
  @aws-amplify/client-config: 1.5.0
  @aws-amplify/deployed-backend-client: 1.4.2
  @aws-amplify/form-generator: 1.0.3
  @aws-amplify/model-generator: 1.0.8
  @aws-amplify/platform-core: 1.1.0
  @aws-amplify/plugin-types: 1.3.0
  @aws-amplify/sandbox: 1.2.3
  @aws-amplify/schema-generator: 1.2.4
  aws-amplify: 6.6.6
  aws-cdk: 2.163.1
  aws-cdk-lib: 2.163.1
  typescript: 5.6.3
AWS environment variables:
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
  AWS_STS_REGIONAL_ENDPOINTS = regional
No CDK environment variables

Describe the bug

I'm trying to use identifier to ensure that each user only adds an email address once (email is unique per owner).

Reproduction steps

If I leave it as optional (as per the documentation), i can't use owner in the identifier

const schema = a.schema({
  Contact: a
    .model({
      firstName: a.string().required(),
      lastName: a.string().required(),
      email: a.string().required(),
      owner: a
        .string()
        .authorization((allow) => [allow.owner().to(['read'])]),
      address: a.string().required(),
    })
    .authorization((allow) => [
      allow.owner().to(['create', 'read', 'update', 'delete']),
    ])
    .identifier(['owner', 'email']), // error: Type '"owner"' is not assignable to type '"firstName" | "lastName" | "email" | "address"'
)

However if set owner as required, I cannot create rows as I wouild need to supply owner.

const schema = a.schema({
  Contact: a
    .model({
      firstName: a.string().required(),
      lastName: a.string().required(),
      email: a.string().required(),
      owner: a
        .string()
        .required()
        .authorization((allow) => [allow.owner().to(['read'])]),
      address: a.string().required(),
    })
    .authorization((allow) => [
      allow.owner().to(['create', 'read', 'update', 'delete']),
    ])
    .identifier(['owner', 'email']),
)

/*...*/

const contact: any = {
  firstName: "jack",
  lastName: "jones",
  email: "[email protected]",
  address: "lonely",
};

const response = await client.models.Contact.create(contact);
// error: "Variable 'input' has coerced Null value for NonNull type 'String!'

/*...*/

const contact: any = {
  owner: auth.user.userId,
  firstName: "jack",
  lastName: "jones",
  email: "[email protected]",
  address: "lonely",
};

const response = await client.models.Contact.create(contact);
//  Unauthorized on [owner]

[ykethan]

Hey,👋 thanks for raising this! I'm going to transfer this over to our API repository for better assistance.

[phani-srikar]

Hi @mainvtm, we do not recommend using the owner field as part of the primary key partly for the reasons you've outlined in this issue. In order to meet your use-case ensure that each user only adds an email address once (email is unique per owner)., you can setup a field level Auth rule such that only the owner can create the email once and not be able to update it as shown below:

const schema = a.schema({
  Contact: a
    .model({
      firstName: a.string().required(),
      lastName: a.string().required(),
      email: a.string().required().authorization((allow) => [
      allow.owner().to(['create', 'read']),
    ]),
      owner: a
        .string()
        .authorization((allow) => [allow.owner().to(['read'])]),
      address: a.string().required(),
    })
    .authorization((allow) => [
      allow.owner().to(['create', 'read', 'update', 'delete']),
    ])
    .identifier(['email'])
)

[mainvtm]

Hi @phani-srikar

This doesn't solve the requirement of having unique owner-email pairs (different owners could not create a contact with the same email?). I achieved this with a secondary index, but this feels like it should be possible with the primary index.

 Contact: a
    .model({
      id: a.id().required(),
      owner: a.string().authorization((allow) => [allow.owner().to(['read', 'delete'])]),
      firstName: a.string().required(),
      lastName: a.string().required(),
      email: a.string().required(),
      address: a.string(),
    })
    .authorization(allow => [allow.owner()]),
    ])
    .secondaryIndexes((indexes) => [indexes('owner').sortKeys(['email'])]),