fix: remove aws_iam directive incorrectly added to interfaces (#3283)

svidgen · web-flow · commit 5b7f4c3c3298 · 2025-05-15T15:15:46.000-05:00
diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/iam-custom-operations.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/iam-custom-operations.test.ts
@@ -514,6 +514,45 @@ describe('Custom operations have @aws_iam directives when enableIamAuthorization
       expect(out.schema).toMatch(/type EventInvocationResponse.*@aws_iam/);
     });
 
+    test('Does not add @aws_iam to interfaces', () => {
+      const strategy = makeStrategy(strategyType);
+      const schema = /* GraphQL */ `
+        interface FooInterface {
+          id: ID!
+        }
+        type Foo {
+          description: String
+        }
+        type EventInvocationResponse @aws_api_key {
+          success: Boolean!
+        }
+        type Query {
+          getFooCustom: Foo
+        }
+        type Mutation {
+          updateFooCustom: Foo
+          doSomethingAsync(body: String!): EventInvocationResponse
+            @function(name: "FnDoSomethingAsync", invocationType: Event)
+            @auth(rules: [{ allow: public, provider: apiKey }])
+        }
+        type Subscription {
+          onUpdateFooCustom: Foo @aws_subscribe(mutations: ["updateFooCustom"])
+        }
+      `;
+
+      const out = testTransform({
+        schema,
+        dataSourceStrategies: constructDataSourceStrategies(schema, strategy),
+        authConfig: makeAuthConfig(),
+        synthParameters: makeSynthParameters(),
+        transformers: makeTransformers(),
+        sqlDirectiveDataSourceStrategies: makeSqlDirectiveDataSourceStrategies(schema, strategy),
+      });
+
+      // Also expect the custom type referenced by the custom operation to be authorized
+      expect(out.schema).not.toMatch(/interface FooInterface.*@aws_iam/);
+    });
+
     test('Does not add duplicate @aws_iam directive to custom type if already present', () => {
       const strategy = makeStrategy(strategyType);
       const schema = /* GraphQL */ `
diff --git a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts
@@ -394,10 +394,15 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA
       return !type.directives?.some((dir) => dir.name.value === 'model');
     };
 
+    const isNotInterface = (type: TypeDefinitionNode): boolean => {
+      return type.kind !== Kind.INTERFACE_TYPE_DEFINITION;
+    };
+
     ctx.inputDocument.definitions
       .filter(isObjectTypeDefinitionNode)
       .filter(isNonModelType)
       .filter(needsAwsIamDirective)
+      .filter(isNotInterface)
       .forEach((def) => extendTypeWithDirectives(ctx, def.name.value, [makeDirective('aws_iam', [])]));
   };
 
