Currently any `currentUserLiteral` routes when accessed with a bad
token throw a 500 due to a SQL error that is raised because
`Model.findById` is invoked with `id={currentUserLiteral}`
(`id=me` in our case) when the url rewrite fails.
This commit changes the token middleware to return 401 Not Authorized
when the client is requesting a currentUserLiteral route without
a valid access token.
Disable invalidation of access tokens by default to restore backwards
compatibility with older 2.x versions.
Add a new application-wide flag logoutSessionsOnSensitiveChanges
that can be used to explicitly turn on/off the token invalidation.
When the flag is not set, a verbose warning is printed to nudge the user
to make a decision how they want to handle token invalidation.
- Add a new User setting 'allowEternalTokens'
- Enhance 'AccessToken.validate' to support eternal tokens with ttl
value -1 when the user model allows it.
Fix token middleware to check if `req.loopbackContext` is active.
The context is not active for example when express-session calls
setImmediate which breaks CLS.
Use local registry in test fixtures to prevent collision in globally
shared models.
Fix issues discoverd in auth implementation where the global registry
was used instead of the correct local one.
Subsequent token middleware tries to read `token.id`
when `enableDoublecheck: true`.
That caused a "Cannot read property `id` of `null`" error
when the first middleware didn't actually find a valid accessToken.
[back-port of #2227]
Add two new options:
- When `enableDoublecheck` is true, the middleware will run
even if a previous middleware has already set `req.accessToken`
(possibly to `null` for anonymous requests)
- When `overwriteExistingToken` is true (and `enableDoublecheck` too),
the middleware will overwrite `req.accessToken` set by a previous
middleware instances.
- `loopback.registry` is now a true global registry
- `app.registry` is unique per app object
- `Model.registry` is set when a Model is created using any registry method
- `loopback.localRegistry` and `loopback({localRegistry: true})` when set to `true` this will create a `Registry` per `Application`. It defaults to `false`.
Enhance the error objects with a `code` property containing
a machine-readable string code describing the error, for example
INVALID_TOKEN or USER_NOT_FOUND.
Also improve 404 error messages to include the model name.
Allow convenient URLs for curl and browsers such as:
- http://some-long-token@localhost:3000/
- http://token:some-long-token@localhost:3000/
Basic Auth specifies a 'Basic' scheme for the Authorization header
similar to how OAuth specifies 'Bearer' as an auth scheme.
Following a similar convention, extract the access token from the
Authorization header when it specifies the 'Basic' scheme, assuming
it is the larger of the <user>:<pass> segments.
Make `loopback.rest` self-contained, so that authentication works
out of the box.
var app = loopback();
app.enableAuth();
app.use(loopback.rest());
Note that cookie parsing middleware is not added, users have to
explicitly configure that if they want to store access tokens
in cookies.
Modify `loopback.token` to skip token lookup when the request already
contains `accessToken` property. This is in line with other
connect-based middleware like `cookieParser` or `json`.