Merge branch 'main' into tjroach/cloudwatch-16kb-page-size-support

Author: vincetran

CHANGELOG.md

@@ -1,3 +1,33 @@
+## [Release 2.24.1](https://github.com/aws-amplify/amplify-android/releases/tag/release_v2.24.1)
+
+### Bug Fixes
+- **analytics:** Fix accessing the Analytics category from RxAmplify or Kotlin Facade ([#2944](https://github.com/aws-amplify/amplify-android/issues/2944))
+- **api:** Fix connecting to AppSync from China with API category ([#2948](https://github.com/aws-amplify/amplify-android/issues/2948))
+
+[See all changes between 2.24.0 and 2.24.1](https://github.com/aws-amplify/amplify-android/compare/release_v2.24.0...release_v2.24.1)
+
+## [Release 2.24.0](https://github.com/aws-amplify/amplify-android/releases/tag/release_v2.24.0)
+
+### Features
+- **auth:** Add support for Email MFA ([#2935](https://github.com/aws-amplify/amplify-android/issues/2935))
+
+[See all changes between 2.23.0 and 2.24.0](https://github.com/aws-amplify/amplify-android/compare/release_v2.23.0...release_v2.24.0)
+
+## [Release 2.23.0](https://github.com/aws-amplify/amplify-android/releases/tag/release_v2.23.0)
+
+### Features
+- **predictions:** Added region handling for creating correct streaming endpoint from region ([#2923](https://github.com/aws-amplify/amplify-android/issues/2923))
+- **api:** Pass authorization in header instead of query parameter for API category ([#2918](https://github.com/aws-amplify/amplify-android/issues/2918))
+
+[See all changes between 2.22.0 and 2.23.0](https://github.com/aws-amplify/amplify-android/compare/release_v2.22.0...release_v2.23.0)
+
+## [Release 2.22.0](https://github.com/aws-amplify/amplify-android/releases/tag/release_v2.22.0)
+
+### Features
+- **storage:** implement multiple buckets support ([#2904](https://github.com/aws-amplify/amplify-android/issues/2904))
+
+[See all changes between 2.21.1 and 2.22.0](https://github.com/aws-amplify/amplify-android/compare/release_v2.21.1...release_v2.22.0)
+
 ## [Release 2.21.1](https://github.com/aws-amplify/amplify-android/releases/tag/release_v2.21.1)
 
 ### Bug Fixes

README.md

@@ -71,14 +71,14 @@ dependencies section:
 ```groovy
 dependencies {
     // Only specify modules that provide functionality your app will use
-    implementation 'com.amplifyframework:aws-analytics-pinpoint:2.21.1'
-    implementation 'com.amplifyframework:aws-api:2.21.1'
-    implementation 'com.amplifyframework:aws-auth-cognito:2.21.1'
-    implementation 'com.amplifyframework:aws-datastore:2.21.1'
-    implementation 'com.amplifyframework:aws-predictions:2.21.1'
-    implementation 'com.amplifyframework:aws-storage-s3:2.21.1'
-    implementation 'com.amplifyframework:aws-geo-location:2.21.1'
-    implementation 'com.amplifyframework:aws-push-notifications-pinpoint:2.21.1'
+    implementation 'com.amplifyframework:aws-analytics-pinpoint:2.24.1'
+    implementation 'com.amplifyframework:aws-api:2.24.1'
+    implementation 'com.amplifyframework:aws-auth-cognito:2.24.1'
+    implementation 'com.amplifyframework:aws-datastore:2.24.1'
+    implementation 'com.amplifyframework:aws-predictions:2.24.1'
+    implementation 'com.amplifyframework:aws-storage-s3:2.24.1'
+    implementation 'com.amplifyframework:aws-geo-location:2.24.1'
+    implementation 'com.amplifyframework:aws-push-notifications-pinpoint:2.24.1'
 }
 ```
 

apollo/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [Release 1.1.0](https://github.com/aws-amplify/amplify-android/releases/tag/release_apollo_v1.1.0)
+
+### Features
+- **apollo:** Use HTTP headers instead of query parameters for authorization ([#2916](https://github.com/aws-amplify/amplify-android/issues/2916))
+
+[See all changes between 1.0.0 and 1.1.0](https://github.com/aws-amplify/amplify-android/compare/release_apollo_v1.0.0...release_apollo_v1.1.0)
+
 # Release 1.0.0
 
 Initial Release

apollo/README.md

@@ -17,10 +17,10 @@ Add the dependency you prefer to your `build.gradle.kts` file.
 
 ```kotlin
 // To only use Apollo to speak to AppSync, without using Amplify
-implementation("com.amplifyframework:apollo-appsync:1.0.0")
+implementation("com.amplifyframework:apollo-appsync:1.1.0")
 
 // To connect Apollo to AppSync using your existing Amplify Gen2 Backend
-implementation("com.amplifyframework:apollo-appsync-amplify:1.0.0")
+implementation("com.amplifyframework:apollo-appsync-amplify:1.1.0")
 ```
 
 For applications using `apollo-appsync` directly, instantiate the Endpoint and the desired Authorizer instance, and then call the Apollo builder extension.
@@ -40,12 +40,86 @@ For applications using `apollo-appsync-amplify`, you can connect directly to you
 val connector = ApolloAmplifyConnector(context, AmplifyOutputs(R.raw.amplify_outputs))
 
 val apolloClient = ApolloClient.Builder()
-    .appSync(connector.endpoint, connect.apiKeyAuthorizer())
+    .appSync(connector.endpoint, connector.apiKeyAuthorizer())
     .build()
 ```
 
 Once you have constructed the Apollo client you can use it as normal for queries, mutations, and subscriptions to AppSync.
 
+## Authorization Modes
+
+AWS AppSync supports [five different authorization modes](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html):
+
+- API Key
+- AWS Lambda Function
+- AWS IAM Permissions
+- OIDC Provider
+- Amazon Cognito User Pool
+
+The Apollo AppSync Extensions libraries expose three authorizer types to support these different authorization modes.
+
+### ApiKeyAuthorizer
+
+An `ApiKeyAuthorizer` is used to provide a key for [API Key authorization](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#api-key-authorization) requests.
+
+This Authorizer can be used with a hardcoded API key, by fetching the key from some source, or reading it from `amplify_outputs.json`:
+
+```kotlin
+// Create an authorizer directly with your API key:
+val authorizer = ApiKeyAuthorizer("[YOUR_API_KEY")
+```
+```kotlin
+// Create an authorizer that fetches your API key. The fetching function may be called many times, 
+// and should internally implement an appropriate caching mechanism.
+val authorizer = ApiKeyAuthorizer { fetchApiKey() }
+```
+```kotlin
+// Using ApolloAmplifyConnector to read API key from amplify_outputs.json
+val connector = ApolloAmplifyConnector(context, AmplifyOutputs(R.raw.amplify_outputs))
+val authorizer = connector.apiKeyAuthorizer()
+```
+
+### AuthTokenAuthorizer
+
+An `AuthTokenAuthorizer` sets an authentication header for use with [AWS Lambda](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#aws-lambda-authorization), 
+[OIDC provider](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#openid-connect-authorization), and
+[Amazon Cognito User Pool](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#amazon-cognito-user-pools-authorization)
+authorization modes.
+
+Using `ApolloAmplifyConnector` allows you to automatically authorize requests for the signed-in Amplify user, or you can implement the Authorizer's function parameter yourself to provide other types of tokens.
+
+```kotlin
+// Provide a token from e.g. an OIDC provider. The fetching function may be called many times, 
+// and should internally implement an appropriate caching mechanism.
+val authorizer = AuthTokenAuthorizer { fetchUserToken() }
+```
+```kotlin
+// Use ApolloAmplifyConnector to get Cognito tokens from Amplify for the signed-in user
+val connector = ApolloAmplifyConnector(context, AmplifyOutputs(R.raw.amplify_outputs))
+val authorizer = connector.authTokenAuthorizer()
+// or
+val authorizer = AuthTokenAuthorizer { ApolloAmplifyConnector.fetchLatestCognitoAuthToken() }
+```
+
+### IamAuthorizer
+
+An `IamAuthorizer` is used to provide request signature headers for using [AWS IAM-based authorization](https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#aws-iam-authorization).
+
+Using `ApolloAmplifyConnector` is the easiest way to use this authorizer, but you can also implement the signing function yourself, by e.g. delegating to the [AWS Kotlin SDK](https://github.com/awslabs/aws-sdk-kotlin).
+
+```kotlin
+// Provide an implementation of the signing function. This function should implement the 
+// AWS Sig-v4 signing logic and return the authorization headers containing the token and signature.
+val authorizer = IamAuthorizer { signRequestAndReturnHeaders(it) }
+```
+```kotlin
+// Use ApolloAmplifyConnector to sign the request
+val connector = ApolloAmplifyConnector(context, AmplifyOutputs(R.raw.amplify_outputs))
+val authorizer = connector.iamAuthorizer()
+// or supply a region to sign via the companion function
+val authorizer = IamAuthorizer { ApolloAmplifyConnector.signAppSyncRequest(it, "us-east-1") }
+```
+
 ## Contributing
 
 - [CONTRIBUTING.md](../CONTRIBUTING.md)
@@ -56,4 +130,4 @@ See [CONTRIBUTING](../CONTRIBUTING.md#security-issue-notifications) for more inf
 
 ## License
 
-This project is licensed under the Apache-2.0 License.
+This project is licensed under the Apache-2.0 License.

apollo/apollo-appsync/src/main/java/com/amplifyframework/apollo/appsync/ApolloExtensions.kt

@@ -18,13 +18,16 @@
 package com.amplifyframework.apollo.appsync
 
 import com.amplifyframework.apollo.appsync.util.UserAgentHeader
+import com.amplifyframework.apollo.appsync.util.WebSocketConnectionInterceptor
 import com.apollographql.apollo.ApolloClient
 import com.apollographql.apollo.api.ApolloRequest
 import com.apollographql.apollo.api.NullableAnyAdapter
 import com.apollographql.apollo.api.Operation
 import com.apollographql.apollo.api.http.DefaultHttpRequestComposer
 import com.apollographql.apollo.api.toJsonString
+import com.apollographql.apollo.network.ws.DefaultWebSocketEngine
 import com.apollographql.apollo.network.ws.WebSocketNetworkTransport
+import okhttp3.OkHttpClient
 
 // Use the requestUuid as the subscriptionId
 internal val <D : Operation.Data> ApolloRequest<D>.subscriptionId: String
@@ -38,15 +41,25 @@ internal fun ApolloRequest<*>.toJson() =
  * Convenience function that configures the [WebSocketNetworkTransport] to connect to AppSync. This function:
  * 1. Sets the serverUrl
  * 2. Sets up an [AppSyncProtocol] using the given endpoint and authorizer
+ * 3. Adds an interceptor to append the authorization payload to the connection request
  * @param endpoint The [AppSyncEndpoint] to connect to
  * @param authorizer The [AppSyncAuthorizer] that determines the authorization mode to use when connecting to AppSync
  * @return The builder instance for chaining
  */
 fun WebSocketNetworkTransport.Builder.appSync(endpoint: AppSyncEndpoint, authorizer: AppSyncAuthorizer) = apply {
-    serverUrl { endpoint.createWebsocketServerUrl(authorizer) }
+    // Set the connection URL
+    serverUrl(endpoint.websocketConnection.toString())
 
+    // Add User-agent header
     addHeader(UserAgentHeader.NAME, UserAgentHeader.value)
 
+    // Add an interceptor that appends the authorization headers
+    val client = OkHttpClient.Builder()
+        .addInterceptor(WebSocketConnectionInterceptor(endpoint, authorizer))
+        .build()
+    webSocketEngine(DefaultWebSocketEngine(client))
+
+    // Set the WebSocket protocol
     protocol(
         AppSyncProtocol.Factory(
             endpoint = endpoint,

apollo/apollo-appsync/src/main/java/com/amplifyframework/apollo/appsync/AppSyncEndpoint.kt

@@ -21,7 +21,7 @@ import java.net.URL
 import okhttp3.HttpUrl.Companion.toHttpUrlOrNull
 
 private val standardEndpointRegex =
-    "^https://\\w{26}\\.appsync-api\\.\\w{2}(?:-\\w{2,})+-\\d\\.amazonaws.com/graphql$".toRegex()
+    "^https://\\w{26}\\.appsync-api\\.\\w{2}(?:-\\w{2,})+-\\d\\.amazonaws.com(?:\\.cn)?/graphql$".toRegex()
 
 /**
  * Class representing the AppSync endpoint. There are multiple URLs associated with each AppSync endpoint: the
@@ -62,6 +62,7 @@ class AppSyncEndpoint(serverUrl: String) {
      * Creates the serverUrl to be used for the WebSocketTransport's serverUrl. For AppSync, this URL has authorization
      * information appended in query parameters. Set this value as the serverUrl for the WebSocketTransport.
      */
+    @Deprecated("Use HTTP header authorization instead of appending a query parameter")
     suspend fun createWebsocketServerUrl(authorizer: AppSyncAuthorizer): String {
         val headers = mapOf("host" to serverUrl.host) + authorizer.getWebsocketConnectionHeaders(this)
         val authorization = headers.base64()

apollo/apollo-appsync/src/main/java/com/amplifyframework/apollo/appsync/util/WebSocketConnectionInterceptor.kt

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+package com.amplifyframework.apollo.appsync.util
+
+import com.amplifyframework.apollo.appsync.AppSyncAuthorizer
+import com.amplifyframework.apollo.appsync.AppSyncEndpoint
+import kotlinx.coroutines.runBlocking
+import okhttp3.Interceptor
+import okhttp3.Response
+
+/**
+ * Intercepts the WebSocket connection request to append the authorization headers
+ */
+internal class WebSocketConnectionInterceptor(
+    private val endpoint: AppSyncEndpoint,
+    private val authorizer: AppSyncAuthorizer
+) : Interceptor {
+    override fun intercept(chain: Interceptor.Chain): Response {
+        // runBlocking is okay because we are on an IO thread when the interceptor is called
+        val headers = runBlocking { authorizer.getWebsocketConnectionHeaders(endpoint) }
+        val builder = chain.request().newBuilder()
+        headers.forEach { header -> builder.header(header.key, header.value) }
+        builder.header("host", endpoint.serverUrl.host)
+        return chain.proceed(builder.build())
+    }
+}

apollo/apollo-appsync/src/test/java/com/amplifyframework/apollo/appsync/ApolloExtensionsTest.kt

@@ -22,16 +22,12 @@ import com.apollographql.apollo.api.AnyAdapter
 import com.apollographql.apollo.api.CustomScalarAdapters
 import com.apollographql.apollo.api.json.BufferedSourceJsonReader
 import com.apollographql.apollo.network.ws.WebSocketNetworkTransport
-import io.kotest.matchers.shouldBe
 import io.mockk.mockk
-import io.mockk.slot
 import io.mockk.spyk
 import io.mockk.verify
 import kotlinx.coroutines.test.runTest
-import okhttp3.HttpUrl.Companion.toHttpUrl
 import okio.Buffer
 import okio.ByteString
-import okio.ByteString.Companion.decodeBase64
 import org.junit.Test
 
 class ApolloExtensionsTest {
@@ -84,23 +80,21 @@ class ApolloExtensionsTest {
         val transportBuilder = mockk<WebSocketNetworkTransport.Builder>(relaxed = true)
         builder.appSync(endpoint, authorizer, transportBuilder)
 
-        val slot = slot<suspend () -> String>()
         verify {
-            transportBuilder.serverUrl(capture(slot))
+            transportBuilder.serverUrl(
+                "https://example1234567890123456789.appsync-realtime-api.us-east-1.amazonaws.com/graphql/connect"
+            )
         }
+    }
 
-        val serverUrl = slot.captured().toHttpUrl()
-
-        // Expected URL:
-        // https://example1234567890123456789.appsync-realtime-api.us-east-1.amazonaws.com/graphql/connect
-        serverUrl.host shouldBe "example1234567890123456789.appsync-realtime-api.us-east-1.amazonaws.com"
-        serverUrl.encodedPath shouldBe "/graphql/connect"
-
-        val header = serverUrl.queryParameter("header")?.decodeBase64()!!.toJsonMap()
-        header["host"] shouldBe "example1234567890123456789.appsync-api.us-east-1.amazonaws.com"
-        header["x-api-key"] shouldBe "apiKey"
+    @Test
+    fun `sets websocket engine`() {
+        val transportBuilder = mockk<WebSocketNetworkTransport.Builder>(relaxed = true)
+        builder.appSync(endpoint, authorizer, transportBuilder)
 
-        serverUrl.queryParameter("payload") shouldBe "e30="
+        verify {
+            transportBuilder.webSocketEngine(any())
+        }
     }
 
     @Suppress("UNCHECKED_CAST")

apollo/apollo-appsync/src/test/java/com/amplifyframework/apollo/appsync/AppSyncEndpointTest.kt

@@ -26,6 +26,8 @@ import org.junit.Test
 
 class AppSyncEndpointTest {
     private val standardAppSyncUrl = "https://example1234567890123456789.appsync-api.us-east-1.amazonaws.com/graphql"
+    private val standardAppSyncUrlChina =
+        "https://example1234567890123456789.appsync-api.us-east-1.amazonaws.com.cn/graphql"
     private val customAppSyncUrl = "https://api.example.com/graphql"
 
     @Test
@@ -48,6 +50,13 @@ class AppSyncEndpointTest {
             "https://example1234567890123456789.appsync-realtime-api.us-east-1.amazonaws.com/graphql/connect"
     }
 
+    @Test
+    fun `uses expected realtime URL for standard endpoint in China`() {
+        val endpoint = AppSyncEndpoint(standardAppSyncUrlChina)
+        endpoint.websocketConnection.toString() shouldBe
+            "https://example1234567890123456789.appsync-realtime-api.us-east-1.amazonaws.com.cn/graphql/connect"
+    }
+
     @Test
     fun `uses expected realtime URL for custom endpoint`() {
         val endpoint = AppSyncEndpoint(customAppSyncUrl)