Return 401 when the request does not provide any accessToken argument
or the token was not found.
Also simplify the implementation of the `logout` method to make only
a single database call (`deleteById`) instead of `findById` + `delete`.
Disable invalidation of access tokens by default to restore backwards
compatibility with older 2.x versions.
Add a new application-wide flag logoutSessionsOnSensitiveChanges
that can be used to explicitly turn on/off the token invalidation.
When the flag is not set, a verbose warning is printed to nudge the user
to make a decision how they want to handle token invalidation.
Fix User model to preserve the current session (provided via
"options.accessToken") when invalidating access tokens after a change
of email or password property.
We noticed that every time the user model updates, the emailVerified
column would change to false, even though the email was not changed
at all.
I took a look and realized there might be an error in
https://github.com/strongloop/loopback/commit/eb640d8
The intent of the commit just mention is to make emailVerified false
when the email gets changed, but notice that ctx.data.email is null
on updates, so the condition is always met and emailVerified always
becomes false.
This commit fixes the issue just mentioned.
Rework User tests to not depend on `app.autoAttach()` and global shared
registry of Models. Instead, each tests creates a fresh app instance
with a new in-memory datasource and a new set of Models.
We should never be showing this publically.
Adds unit test for hiding verification token.
This is a back-port of pull request #1851 from gausie/patch-4
This commit adds the ability for the developer to use a custom token generator function for the user.verify(...) method. By default, the system will still use the crypto.randomBytes() method if no option is provided.
Make the "redirect" parameter optional. When the parameter is not
specified, the server responds with an empty response (204). This allows
API clients to call the method without the need to handle redirects
and HTML responses.
Even when the "redirect" parameter is included, the builtin afterRemote
hook still calls next(), so that user-provided afterRemote hooks
are executed too.
Enhance the error objects with a `code` property containing
a machine-readable string code describing the error, for example
INVALID_TOKEN or USER_NOT_FOUND.
Also improve 404 error messages to include the model name.
Miroslav Bajtoš
Ritchie Martori
Aris Kemper
João Ribeiro
Sergey Reus
박대선
Bram Borggreve
Adrien Kiren
Loay
Dhaval Trivedi
jannyHou
Simon Ho
Ryan Graham
Ryan Graham
Miroslav Bajtoš
Richard Pringle
Simo Moujami
Samuel Gaus
Pradnya Baviskar
Raymond Feng
Miroslav Bajtoš
jakerella
Ron Edgecomb
Raymond Feng