Loopback: Where do I find my access token??

User#login,this method will return token.If u dont have user,u can create a new user.

Thanks for the fast response. I am starting from an empty database - so I understand I have to add a user with an ID and password in order to post to this route:

Any advice how to easily add a user?

You should be able to use the POST method right there on the same explorer screen, and then use the login with same data to obtain the token

OK - did that! Where is the token?

The “id” is your access token.

Thanks,

Raymond Feng
Co-Founder and Architect @ StrongLoop, Inc.

StrongLoop http://strongloop.com/ makes it easy to develop APIs http://strongloop.com/mobile-application-development/loopback/ in Node, plus get DevOps capabilities http://strongloop.com/node-js-performance/strongops/ like monitoring, debugging and clustering.

On Nov 17, 2014, at 2:52 PM, Dan Stroot [email protected] wrote:

OK - did that! Where is the token?
https://cloud.githubusercontent.com/assets/1438457/5079435/4be75dde-6e69-11e4-9bac-bdc787eddc2b.png
—
Reply to this email directly or view it on GitHub https://github.com/strongloop/loopback/issues/823#issuecomment-63391872.

These basic questions imply that the documentation is not clear for starters. You might want to take this as a tip to enhance the documentation further as part of the Get Started guide.

:+1: to sinoami. Loopback documentation and GitHub issues should get the attention they need.

Ah! It works. Thanks very much. The first thing I was doing was trying to do a "get" "/users" which it will still not let me do. But I tried a get on my own userId and was able retrieve data.

What kind of credential do I need to see all users? How do I set it?

Cheers!

Amen on the Docs - I agree that basic stuff is really too hard to figure out right now. The API explorer is one of the big attractions but you can't "do" anything without a token and I can not find anywhere an explanation how to get token. Almost funny... even once you have a token you can only do some things and not others I am finding.

@dstroot

To understand how access control (ACL) works in general, check out these links:

• Authentication and authorization (read sub-pages too): http://docs.strongloop.com/display/public/LB/Authentication+and+authorization
• Example project: https://github.com/strongloop/loopback-example-access-control

To understand how access control (ACL) works for the users resource, check out the acl section in the source code:

• https://github.com/strongloop/loopback/blob/master/common/models/user.json#L33

What kind of credential do I need to see all users? How do I set it?

What you want to do is create an admin role and assign that role to one of your users, or create an admin user.

Here's how to do it programmatically. Create a boot script and include this:

User.create([
    {username: 'admin', email: '[email protected]', password: 'somepassword'}
], function(err, users) {
    if (err) return console.error(err);
    // Create the admin role
    Role.create({
      name: 'admin'
    }, function(err, role) {
      if (err) return console.error(err); 
      // Give Admin user the admin role
      role.principals.create({
        principalType: RoleMapping.USER,
        principalId: users[0].id
      }, function(err, principal) {
        if (err) return console.error(err);
        // done!
      });
    });
  });
};

AWESOME! Very helpful! Thanks.

while sending request for get user by id, how can token can be set, which i got from login response ? or its like manually we have to append in query string ?

Here is a little summary from what I found out about authentication in LoopBack:

To get an access token you have to POST your user model's login route. The access token will be in the response's id field. You can also search for it in your database's AccessToken table. Just filter it by your user's id.

If you use Passport with LoopBack, you have to use the route you set in the providers.json file's authPath property. In this case the access token will be saved in a cookie called access-token. You can setup LoopBack to search for the access token in the cookie by placing the following code into server.js:

app.use(loopback.token({
  cookies: ['access-token'],
  headers: ['access-token', 'X-Access-Token'],
  params: ['access-token', 'access_token']
}));

This code will also look for the token in the request header and the URI parameters. Feel free to remove the techniques you don't want to use when searching for the access token.

@totymedli to clarify, if I want to User.logout() with a passport+loopback setup, does loopback.token() store the accessToken as a property anywhere? Or else how am I meant to pass the accessToken to the logout method?

@janbaykara The access token is stored in the cookies:

• document.cookie on the frontend
• req.headers.cookie on the backend

So you can retrieve it from there and call the logout endpoint with it.

Example for cookie retrieval on the backend in a route:

module.exports = function (server) {
  let router = server.loopback.Router()
  router.get('/', (req, res) => {
    res.send(req.headers.cookie)
  })
  server.use(router)
}

Of course the cookie string needs to be parsed. Check out the Stack Overflow question on this.

Sure. I just found I had to use regex to acquire the actual accessToken. Namely:

let cookieBits = req.headers.cookie.match(/access_token=s%3A([A-z0-9]+)/);
let accessToken = cookieBits[1];

User.logout(accessToken, ...

I assumed loopback would have had some kind of helper method to acquire it.