#✅ - Post Confirmation "Cannot read properties of undefined (reading 'loginWith')"

Following tutorial here:
https://docs.amplify.aws/vue/build-a-backend/functions/examples/create-user-profile-record/
I get error when post-confirmaiton runs:

2024-05-29T23:49:34.456Z    undefined    ERROR    Uncaught Exception     
{
    "errorType": "TypeError",
    "errorMessage": "Cannot read properties of undefined (reading 'loginWith')",
    "stack": [
        "TypeError: Cannot read properties of undefined (reading 'loginWith')",
        "    at AmplifyClass.notifyOAuthListener (file:///var/task/index.mjs:27042:44)",
        "    at AmplifyClass.configure (file:///var/task/index.mjs:27023:10)",
        "    at Object.configure (file:///var/task/index.mjs:30481:15)",
        "    at file:///var/task/index.mjs:33705:16",
        "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"
    ]
}

My ./amplify/auth/resources.ts is set up correctly:

import { defineAuth } from "@aws-amplify/backend";
import { postConfirmation } from "./post-confirmation/resource";

/**
 * Define and configure your auth resource
 * @see https://docs.amplify.aws/gen2/build-a-backend/auth
 */
export const auth = defineAuth({
  loginWith: {
    email: true
  },
  groups: ["admin", "employee", "tenant", "stakeholder", "allusers"],
  triggers: {
    postConfirmation
  },
  access: allow => [allow.resource(postConfirmation).to(["addUserToGroup"])]
});

Any help would be appreciated.

Handler and models are attached.

👋 from the stack trace this is coming from the Amplify.configure. The Auth block is getting read as the auth resource configuration with requires a loginWith. the configure call takes 2 arguments: the resource config values, and the library config

Amplify.configure({
  API: {
    GraphQL: {
      endpoint: env.AMPLIFY_DATA_GRAPHQL_ENDPOINT,
      region: env.AWS_REGION,
      defaultAuthMode: 'iam'
    }
  },
  // this should be in the second arg
  Auth: {
    // @ts-ignore: credentialsProvider does not exist
    credentialsProvider: {
      getCredentialsAndIdentityId: async () => ({
        credentials: {
          accessKeyId: env.AWS_ACCESS_KEY_ID,
          secretAccessKey: env.AWS_SECRET_ACCESS_KEY,
          sessionToken: env.AWS_SESSION_TOKEN
        }
      }),
      clearCredentialsAndIdentityId: () => {
        /* noop */
      }
    }
  }
});

can you split these into two separate objects?

Amplify.configure(
  {
    API: {
      GraphQL: {
        endpoint: env.AMPLIFY_DATA_GRAPHQL_ENDPOINT,
        region: env.AWS_REGION,
        defaultAuthMode: "iam",
      },
    },
  },
  {
    Auth: {
      // @ts-ignore: credentialsProvider does not exist
      credentialsProvider: {
        getCredentialsAndIdentityId: async () => ({
          credentials: {
            accessKeyId: env.AWS_ACCESS_KEY_ID,
            secretAccessKey: env.AWS_SECRET_ACCESS_KEY,
            sessionToken: env.AWS_SESSION_TOKEN,
          },
        }),
        clearCredentialsAndIdentityId: () => {
          /* noop */
        },
      },
    },
  }
)

Guilty as charged. That was the issue. For bonus points - it did not create a User item. Any idea where the console.log statements are supposed to end up? They don't seem to be in the cloudwatch log group. I'm thinking there's a deficiancy in the example:

// create user profile
  await gql_client.graphql({
    query: createUser,
    variables: {
      input: {
        email_1: event.request.userAttributes.email,
        cognito_username: `${event.request.userAttributes.sub}::${event.userName}`
      }
    }
  });

I believe that await gql_client.graphql will return errors as a message and is erroring silently.

@valid owl

haha I had to read the code a few times to notice it 🫣

yes you may need to add a check for errors to throw manually. With the generated queries it's going to request every property in the model that you may/may not have access to read (based on auth rules, i.e. you'd lock down fields that contain PII and interact only when you really need them), and each that you do not have access to will come back as an error

if you plan to allow your function to access every field, a check such as if (errors.length > 0)would be sufficient