Loopback-next: how can we have auth middleware to authorized each an every request

Created on 19 Jan 2019 · 5Comments · Source: strongloop/loopback-next

in current example of authentication verify function username and password is pass as an arguments but for every request it wou't be the case and how can we access header data in auth-strategy.provider.

Authentication question stale

Source

shendkardevesh

Most helpful comment

Hey @shendkardevesh.
There is RestBindings.Http.REQUEST binding in @loopback/rest package to inject request object. You can inject request object into your provider and access headers from there.

Also some of the strategies let you specify header fields to get credentials from on each request. For example:

import { Strategy as JWTStrategy, ExtractJwt } from 'passport-jwt';

export class HttpAuthStrategyProvider implements Provider<Strategy | undefined> {
  constructor(
    @inject(RestBindings.Http.REQUEST) private request: Request,
    // ... DEDUCTED
  ) {

    this.verifyBasic = this.verifyBasic.bind(this);
  }

  value(): ValueOrPromise<Strategy | undefined> {

    if (!this.metadata) {
      return undefined;
    }

    const name = this.metadata.strategy;
    if (name === 'JWTStrategy') {
      return new JWTStrategy({
        secretOrKey: this.configuration.secrets.jwtSecret,
        jwtFromRequest: ExtractJwt.fromHeader('SOME_HEADER_NAME') // Here extract from headers
      }, this.verifyCallback);
    } else {
      return Promise.reject(`Strategy ${name} is not defined`);
    }
  }

  // .... DEDUCTED
}

osmanmesutozcan on 20 Jan 2019

👍2 ❤1

All 5 comments

Hey @shendkardevesh.
There is RestBindings.Http.REQUEST binding in @loopback/rest package to inject request object. You can inject request object into your provider and access headers from there.

Also some of the strategies let you specify header fields to get credentials from on each request. For example:

import { Strategy as JWTStrategy, ExtractJwt } from 'passport-jwt';

export class HttpAuthStrategyProvider implements Provider<Strategy | undefined> {
  constructor(
    @inject(RestBindings.Http.REQUEST) private request: Request,
    // ... DEDUCTED
  ) {

    this.verifyBasic = this.verifyBasic.bind(this);
  }

  value(): ValueOrPromise<Strategy | undefined> {

    if (!this.metadata) {
      return undefined;
    }

    const name = this.metadata.strategy;
    if (name === 'JWTStrategy') {
      return new JWTStrategy({
        secretOrKey: this.configuration.secrets.jwtSecret,
        jwtFromRequest: ExtractJwt.fromHeader('SOME_HEADER_NAME') // Here extract from headers
      }, this.verifyCallback);
    } else {
      return Promise.reject(`Strategy ${name} is not defined`);
    }
  }

  // .... DEDUCTED
}

osmanmesutozcan on 20 Jan 2019

👍2 ❤1

Thanks @osmanmesutozcan , i was trying to achieve the above JWTStrategy stuff few days back and was stuck.
I was going through LB4 documentation and learning this framework, but I am sure, i would not have found the use of 'RestBindings.Http.REQUEST' just through the documentation :( [ or may be i missed something]. Thanks again!

rohit-khanna on 30 Jan 2019

Discussion with @raymondfeng @jannyHou @emonddr:

A few pointers:

create an authorization component: https://loopback.io/doc/en/lb4/Loopback-component-authorization.html
In progress PR: https://github.com/strongloop/loopback-next/pull/1205
an upcoming blog from @gobackhuoxing https://strongloop.com/authors/Wenbo_Sun/. Part 4 is about authentication and is coming up.

dhmlau on 10 Jun 2019

This issue has been marked stale because it has not seen activity within six months. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository. This issue will be closed within 30 days of being stale.