1. Make it possible to reuse getIdForRequest()
2. Introduce a flag to control if oAuth2 bearer token should be base64
encoded
3. Promote resolve() to locate/validate access tokens by id
Currently any `currentUserLiteral` routes when accessed with a bad
token throw a 500 due to a SQL error that is raised because
`Model.findById` is invoked with `id={currentUserLiteral}`
(`id=me` in our case) when the url rewrite fails.
This commit changes the token middleware to return 401 Not Authorized
when the client is requesting a currentUserLiteral route without
a valid access token.
Fixing server/middleware/token.js to handle correctly the
setup of a custom AccessToken model by name in either
middleware.json or using any of :
app.use(loopback.token({...}));
app.middlewareFromConfig(loopback.token, {...})
app.middleware('auth', loopback.token({...})
Modify `app.enableAuth()` to verify that (custom) User and AccessToken
models have correctly configured their hasMany/belongsTo relations
and print a warning otherwise.
Notable side-effects:
- loopback no longer exports "caller" and "arguments" properties
- kv-memory connector is now properly added to the connector registry
- the file "test/support.js" was finally removed
- Add a new User setting 'allowEternalTokens'
- Enhance 'AccessToken.validate' to support eternal tokens with ttl
value -1 when the user model allows it.
Fix token middleware to check if `req.loopbackContext` is active.
The context is not active for example when express-session calls
setImmediate which breaks CLS.
Use local registry in test fixtures to prevent collision in globally
shared models.
Fix issues discoverd in auth implementation where the global registry
was used instead of the correct local one.
subsequent token middleware tries to read `token.id` when `enableDoublecheck: true`. That caused a "Cannot read property `id` of `null`" error when the first middleware didn't actually find a valid accessToken.
Add two new options:
- When `enableDoublecheck` is true, the middleware will run
even if a previous middleware has already set `req.accessToken`
(possibly to `null` for anonymous requests)
- When `overwriteExistingToken` is true (and `enableDoublecheck` too),
the middleware will overwrite `req.accessToken` set by a previous
middleware instances.
- `loopback.registry` is now a true global registry
- `app.registry` is unique per app object
- `Model.registry` is set when a Model is created using any registry method
- `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`.
Enhance the error objects with a `code` property containing
a machine-readable string code describing the error, for example
INVALID_TOKEN or USER_NOT_FOUND.
Also improve 404 error messages to include the model name.
Allow convenient URLs for curl and browsers such as:
- http://some-long-token@localhost:3000/
- http://token:some-long-token@localhost:3000/
Basic Auth specifies a 'Basic' scheme for the Authorization header
similar to how OAuth specifies 'Bearer' as an auth scheme.
Following a similar convention, extract the access token from the
Authorization header when it specifies the 'Basic' scheme, assuming
it is the larger of the <user>:<pass> segments.
Make `loopback.rest` self-contained, so that authentication works
out of the box.
var app = loopback();
app.enableAuth();
app.use(loopback.rest());
Note that cookie parsing middleware is not added, users have to
explicitly configure that if they want to store access tokens
in cookies.
Modify `loopback.token` to skip token lookup when the request already
contains `accessToken` property. This is in line with other
connect-based middleware like `cookieParser` or `json`.
Justin Ross
Miroslav Bajtoš
Raymond Feng
Aaron Buchanan
ebarault
Miroslav Bajtoš
Loay
David Cheung
Carl Fürstenberg
Benjamin Kroeger
Supasate Choochaisri
Ryan Graham
Benjamin Kröger
Miroslav Bajtoš
Raymond Feng
Ritchie Martori
Ron Edgecomb
Ryan Graham
Rob Halff
Karl Mikkelsen