Using Components - Authentication - 《LoopBack 4 Document》

Overview
Installation
Authentication Component
Using the Authentication Decorator
Adding an Authentication Action to a Custom Sequence
Binding the Authenticating Sequence to the Application
Creating a Custom Authentication Strategy
Registering a Custom Authentication Strategy
- Using Passport-based Strategies
Managing Custom Authentication Strategy Options
Summary

Overview

Security is of paramount importance when developing a web or mobile applicationand usually consists of two distinct pieces:

Authentication
AuthorizationAuthentication is a process ofverifying someone’s identity before a protected resource is accessed.

Authorization is a process ofdeciding if a user can perform an action on a protected resource.

Note:

For a description of an Authorization process, please see Authorization.

This document describes the details of the LoopBack 4 Authentication componentfrom the @loopback/authentication package.

Here is a high level overview of the authentication component.

A decorator to express an authentication requirement on controller methods
A provider to access method-level authentication metadata
An action in the REST sequence to enforce authentication
An extension point to discover all authentication strategies and handle thedelegationHere is a detailed overview of the authentication component.

Basically, to secure your API endpoints, you need to:

decorate the endpoints of a controller with the@authenticate(strategyName, options?) decorator (app developer)
insert the authentication action in a custom sequence (app developer)
create a custom authentication strategy with a unique name (extensiondeveloper)
register the custom authentication strategy (app developer)The Authentication Component takes care of the rest.

Installation

npm install --save @loopback/authentication

Authentication Component

To utilize authentication in an application application.ts, you must loadthe authentication component named AuthenticationComponent.

export class MyApplication extends BootMixin(
  ServiceMixin(RepositoryMixin(RestApplication)),
) {
  constructor(options?: ApplicationConfig) {
    super(options);
    //...
    this.component(AuthenticationComponent);
    //...
  }
}

The AuthenticationComponent is defined as follows:

export class AuthenticationComponent implements Component {
  providers?: ProviderMap;
  constructor() {
    this.providers = {
      [AuthenticationBindings.AUTH_ACTION.key]: AuthenticateActionProvider,
      [AuthenticationBindings.STRATEGY.key]: AuthenticationStrategyProvider,
      [AuthenticationBindings.METADATA.key]: AuthMetadataProvider,
    };
  }
}

As you can see, there are a few providerswhich make up the bulk of the authenticaton component.

Essentially

The binding key AuthenticationBindings.AUTH_ACTION.key is bound toAuthenticateActionProvider which returns an authenticating function of typeAuthenticateFn
The binding key AuthenticationBindings.STRATEGY.key is bound toAuthenticationStrategyProvider which resolves and returns an authenticationstrategy of type AuthenticationStrategy
The binding key AuthenticationBindings.METADATA.key is bound toAuthMetadataProvider which returns authentication decorator metadata of typeAuthenticationMetadataThe purpose of these providers and the values they return will be explained inthe sections below.

Using the Authentication Decorator

Securing your application’s API endpoints is done by decorating controllerfunctions with theAuthentication Decorator.

The decorator’s syntax is:

@authenticate(strategyName: string, options?: object)

The strategyName is the unique name of the authentication strategy.

When the options object is specified, it must be relevant to that particularstrategy.

Here is an example of the decorator using a custom authentication strategy named‘basic’ without options, for the endpoint /whoami in a controller namedWhoAmIController. (We willcreate andregister the ‘basic’authentication strategy in later sections)

import {inject} from '@loopback/context';
import {
  AuthenticationBindings,
  UserProfile,
  authenticate,
} from '@loopback/authentication';
import {SecurityBindings} from '@loopback/security';
import {get} from '@loopback/rest';
export class WhoAmIController {
  constructor(
    // After extracting the CURRENT_USER key to module `@loopback/security`,
    // `AuthenticationBindings.CURRENT_USER` is turned to an alias of
    // `SecurityBindings.USER`
    @inject(SecurityBindings.USER)
    private userProfile: UserProfile,
  ) {}
  @authenticate('basic')
  @get('/whoami')
  whoAmI(): string {
    return this.userProfile.id;
  }
}

Note:If only some of the controller methods are decorated with the @authenticate decorator, then the injection decorator for CURRENT_USER in the controller’s constructor must be specified as @inject(SecurityBindings.USER, {optional:true}) to avoid a binding error when an unauthenticated endpoint is accessed. Alternatively, do not inject CURRENT_USER in the controller constructor, but in the controller methods which are actually decorated with the @authenticate decorator. See Method Injection, Constructor Injection and Optional Dependencies for details.

An example of the decorator when options are specified looks like this:

@authenticate('basic', { /* some options for the strategy */})

Tip: To avoid repeating the same options in the @authenticate decorator for many endpoints in a controller, you can instead define global options which can be injected into an authentication strategy thereby allowing you to avoid specifying the options object in the decorator itself. For controller endpoints that need to override a global option, you can specify it in an options object passed into the decorator. Your authentication strategy would need to handle the option overrides. See Managing Custom Authentication Strategy Options for details.

After a request is successfully authenticated, the current user profile isavailable on the request context. You can obtain it via dependency injection byusing the SecurityBindings.USER binding key.

Parameters of the @authenticate decorator can be obtained via dependencyinjection using the AuthenticationBindings.METADATA binding key. It returnsdata of type AuthenticationMetadata provided by AuthMetadataProvider. TheAuthenticationStrategyProvider, discussed in a later section, makes use ofAuthenticationMetadata to figure out what name you specified as aparameter in the @authenticate decorator of a specific controller endpoint.

Adding an Authentication Action to a Custom Sequence

In a LoopBack 4 application with REST API endpoints, each request passes througha stateless grouping of actions called a Sequence.

Here is an example of the default sequence that is created in a LoopBack 4application.

export class DefaultSequence implements SequenceHandler {
  /**
   * Constructor: Injects findRoute, invokeMethod & logError
   * methods as promises.
   *
   * @param {FindRoute} findRoute Finds the appropriate controller method,
   *  spec and args for invocation (injected via SequenceActions.FIND_ROUTE).
   * @param {ParseParams} parseParams The parameter parsing function (injected
   * via SequenceActions.PARSE_PARAMS).
   * @param {InvokeMethod} invoke Invokes the method specified by the route
   * (injected via SequenceActions.INVOKE_METHOD).
   * @param {Send} send The action to merge the invoke result with the response
   * (injected via SequenceActions.SEND)
   * @param {Reject} reject The action to take if the invoke returns a rejected
   * promise result (injected via SequenceActions.REJECT).
   */
  constructor(
    @inject(SequenceActions.FIND_ROUTE) protected findRoute: FindRoute,
    @inject(SequenceActions.PARSE_PARAMS) protected parseParams: ParseParams,
    @inject(SequenceActions.INVOKE_METHOD) protected invoke: InvokeMethod,
    @inject(SequenceActions.SEND) public send: Send,
    @inject(SequenceActions.REJECT) public reject: Reject,
  ) {}
  /**
   * Runs the default sequence. Given a handler context (request and response),
   * running the sequence will produce a response or an error.
   *
   * Default sequence executes these steps
   *  - Finds the appropriate controller method, swagger spec
   *    and args for invocation
   *  - Parses HTTP request to get API argument list
   *  - Invokes the API which is defined in the Application Controller
   *  - Writes the result from API into the HTTP response
   *  - Error is caught and logged using 'logError' if any of the above steps
   *    in the sequence fails with an error.
   *
   * @param context The request context: HTTP request and response objects,
   * per-request IoC container and more.
   */
  async handle(context: RequestContext): Promise<void> {
    try {
      const {request, response} = context;
      const route = this.findRoute(request);
      const args = await this.parseParams(request, route);
      const result = await this.invoke(route, args);
      debug('%s result -', route.describe(), result);
      this.send(response, result);
    } catch (error) {
      this.reject(context, error);
    }
  }
}

By default, authentication is not part of the sequence of actions, so youmust create a custom sequence and add the authentication action.

An authentication action AuthenticateFn is provided by theAuthenticateActionProvider class.

AuthenticateActionProvider is defined as follows:

export class AuthenticateActionProvider implements Provider<AuthenticateFn> {
  constructor(
    // The provider is instantiated for Sequence constructor,
    // at which time we don't have information about the current
    // route yet. This information is needed to determine
    // what auth strategy should be used.
    // To solve this, we are injecting a getter function that will
    // defer resolution of the strategy until authenticate() action
    // is executed.
    @inject.getter(AuthenticationBindings.STRATEGY)
    readonly getStrategy: Getter<AuthenticationStrategy>,
    @inject.setter(SecurityBindings.USER)
    readonly setCurrentUser: Setter<UserProfile>,
  ) {}
  /**
   * @returns authenticateFn
   */
  value(): AuthenticateFn {
    return request => this.action(request);
  }
  /**
   * The implementation of authenticate() sequence action.
   * @param request The incoming request provided by the REST layer
   */
  async action(request: Request): Promise<UserProfile | undefined> {
    const strategy = await this.getStrategy();
    if (!strategy) {
      // The invoked operation does not require authentication.
      return undefined;
    }
    const userProfile = await strategy.authenticate(request);
    if (!userProfile) {
      // important to throw a non-protocol-specific error here
      let error = new Error(
        `User profile not returned from strategy's authenticate function`,
      );
      Object.assign(error, {
        code: USER_PROFILE_NOT_FOUND,
      });
      throw error;
    }
    this.setCurrentUser(userProfile);
    return userProfile;
  }
}

AuthenticateActionProvider’s value() function returns a function of typeAuthenticateFn. This function attempts to obtain an authentication strategy(resolved by AuthenticationStrategyProvider via theAuthenticationBindings.STRATEGY binding). If no authentication strategywas specified for this endpoint, the action immediately returns. If anauthentication strategy was specified for this endpoint, itsauthenticate(request) function is called. If a user profile is returned, thismeans the user was authenticated successfully, and the user profile is added tothe request context (via the SecurityBindings.USER binding); otherwise anerror is thrown.

Here is an example of a custom sequence which utilizes the authenticationaction.

export class MyAuthenticatingSequence implements SequenceHandler {
  constructor(
    @inject(SequenceActions.FIND_ROUTE) protected findRoute: FindRoute,
    @inject(SequenceActions.PARSE_PARAMS)
    protected parseParams: ParseParams,
    @inject(SequenceActions.INVOKE_METHOD) protected invoke: InvokeMethod,
    @inject(SequenceActions.SEND) protected send: Send,
    @inject(SequenceActions.REJECT) protected reject: Reject,
    @inject(AuthenticationBindings.AUTH_ACTION)
    protected authenticateRequest: AuthenticateFn,
  ) {}
  async handle(context: RequestContext) {
    try {
      const {request, response} = context;
      const route = this.findRoute(request);
      //call authentication action
      await this.authenticateRequest(request);
      // Authentication successful, proceed to invoke controller
      const args = await this.parseParams(request, route);
      const result = await this.invoke(route, args);
      this.send(response, result);
    } catch (error) {
      //
      // The authentication action utilizes a strategy resolver to find
      // an authentication strategy by name, and then it calls
      // strategy.authenticate(request).
      //
      // The strategy resolver throws a non-http error if it cannot
      // resolve the strategy. When the strategy resolver obtains
      // a strategy, it calls strategy.authenticate(request) which
      // is expected to return a user profile. If the user profile
      // is undefined, then it throws a non-http error.
      //
      // It is necessary to catch these errors and add HTTP-specific status
      // code property.
      //
      // Errors thrown by the strategy implementations already come
      // with statusCode set.
      //
      // In the future, we want to improve `@loopback/rest` to provide
      // an extension point allowing `@loopback/authentication` to contribute
      // mappings from error codes to HTTP status codes, so that application
      // don't have to map codes themselves.
      if (
        error.code === AUTHENTICATION_STRATEGY_NOT_FOUND ||
        error.code === USER_PROFILE_NOT_FOUND
      ) {
        Object.assign(error, {statusCode: 401 /* Unauthorized */});
      }
      this.reject(context, error);
      return;
    }
  }
}

Notice the new dependency injection in the sequence’s constructor.

@inject(AuthenticationBindings.AUTH_ACTION)
protected authenticateRequest: AuthenticateFn,

The binding key AuthenticationBindings.AUTH_ACTION gives us access to theauthentication function authenticateRequest of type AuthenticateFn providedby AuthenticateActionProvider.

Now the authentication function authenticateRequest can be called in ourcustom sequence anywhere before the invoke action in order secure theendpoint.

There are two particular protocol-agnostic errorsAUTHENTICATION_STRATEGY_NOT_FOUND and USER_PROFILE_NOT_FOUND which must beaddressed in the sequence, and given an HTTP status code of 401 (UnAuthorized).

It is up to the developer to throw the appropriate HTTP error code from within acustom authentications strategy or its custom services.

If any error is thrown during the authentication process, the controllerfunction of the endpoint is never executed.

Binding the Authenticating Sequence to the Application

Now that we’ve defined a custom sequence that performs an authentication actionon every request, we must bind it to the application application.ts

export class MyApplication extends BootMixin(
  ServiceMixin(RepositoryMixin(RestApplication)),
) {
  constructor(options?: ApplicationConfig) {
    super(options);
    //...
    this.sequence(MyAuthenticatingSequence);
    //...
  }
}

Creating a Custom Authentication Strategy

Support for multiple authentication strategies is possible with a commonauthentication strategy interface, and an extensionPoint/extensions patternused to register and discover authentication strategies.

The AuthenticationComponent declares a common authentication strategyinterface named AuthenticationStrategy.

export interface AuthenticationStrategy {
  /**
   * The 'name' property is a unique identifier for the
   * authentication strategy (for example: 'basic', 'jwt', etc)
   */
  name: string;
  /**
   * The 'authenticate' method takes in a given request and returns a user profile
   * which is an instance of 'UserProfile'.
   * (A user profile is a minimal subset of a user object)
   * If the user credentials are valid, this method should return a 'UserProfile' instance.
   * If the user credentials are invalid, this method should throw an error
   * If the user credentials are missing, this method should throw an error, or return 'undefined'
   * and let the authentication action deal with it.
   *
   * @param request - Express request object
   */
  authenticate(request: Request): Promise<UserProfile | undefined>;
}

Developers that wish to create a custom authentication strategy must implementthis interface. The custom authentication strategy must have a unique nameand have an authenticate function which takes in a request and returns theuser profile of an authenticated user.

Here is an example of a basic authentication strategyBasicAuthenticationStrategy with the name 'basic' inbasic-strategy.ts:

export interface Credentials {
  username: string;
  password: string;
}
export class BasicAuthenticationStrategy implements AuthenticationStrategy {
  name: string = 'basic';
  constructor(
    @inject(UserServiceBindings.USER_SERVICE)
    private userService: UserService,
  ) {}
  async authenticate(request: Request): Promise<UserProfile | undefined> {
    const credentials: Credentials = this.extractCredentials(request);
    const user = await this.userService.verifyCredentials(credentials);
    const userProfile = this.userService.convertToUserProfile(user);
    return userProfile;
  }
  extractCredentials(request: Request): Credentials {
    let creds: Credentials;
    /**
     * Code to extract the 'basic' user credentials from the Authorization header
     */
    return creds;
  }
}

As you can see in the example, an authentication strategy can inject customservices to help it accomplish certain tasks. See the complete examples forbasic authentication strategyandjwt authentication strategy.

The AuthenticationComponent component also provides two optional serviceinterfaces which may be of use to your application:UserServiceandTokenService.

Registering a Custom Authentication Strategy

The registration and discovery of authentication strategies is possiblevia the Extension Point and Extensionspattern.

You don’t have to worry about the discovery of authentication strategies,this is taken care of by AuthenticationStrategyProvider which resolves andreturns an authentication strategy of type AuthenticationStrategy.

The AuthenticationStrategyProvider class (shown below) declares anextension point namedAuthenticationBindings.AUTHENTICATION_STRATEGY_EXTENSION_POINT_NAME via the@extensionPoint decorator. The binding scope is set to transient becausean authentication strategy may differ with each request.

With the aid of metadata of type AuthenticationMetadata (provided byAuthMetadataProvider and injected via the AuthenticationBindings.METADATAbinding key), the name of the authentication strategy, specified in the@authenticate decorator for this request, is obtained.

Then, with the aid of the @extensions() getter decorator,AuthenticationStrategyProvider is responsible for finding andreturning the authentication strategy which has that specific name andhas been registered as an extension of the aforementioned extensionpoint.

@extensionPoint(
  AuthenticationBindings.AUTHENTICATION_STRATEGY_EXTENSION_POINT_NAME,
  {scope: BindingScope.TRANSIENT},
) //this needs to be transient, e.g. for request level context.
export class AuthenticationStrategyProvider
  implements Provider<AuthenticationStrategy | undefined> {
  constructor(
    @extensions()
    private authenticationStrategies: Getter<AuthenticationStrategy[]>,
    @inject(AuthenticationBindings.METADATA)
    private metadata?: AuthenticationMetadata,
  ) {}
  async value(): Promise<AuthenticationStrategy | undefined> {
    if (!this.metadata) {
      return undefined;
    }
    const name = this.metadata.strategy;
    const strategy = await this.findAuthenticationStrategy(name);
    if (!strategy) {
      // important to throw a non-protocol-specific error here
      let error = new Error(`The strategy '${name}' is not available.`);
      Object.assign(error, {
        code: AUTHENTICATION_STRATEGY_NOT_FOUND,
      });
      throw error;
    }
    return strategy;
  }
  async findAuthenticationStrategy(name: string) {
    const strategies = await this.authenticationStrategies();
    const matchingAuthStrategy = strategies.find(a => a.name === name);
    return matchingAuthStrategy;
  }
}

In order for your custom authentication strategy to be found, it needs to beregistered.

Registering a custom authentication strategy BasicAuthenticationStrategyas an extension of theAuthenticationBindings.AUTHENTICATION_STRATEGY_EXTENSION_POINT_NAME extensionpoint in an application application.ts is as simple as:

import {registerAuthenticationStrategy} from '@loopback/authentication';
export class MyApplication extends BootMixin(
  ServiceMixin(RepositoryMixin(RestApplication)),
) {
  constructor(options?: ApplicationConfig) {
    super(options);
    //...
    registerAuthenticationStrategy(this, BasicAuthenticationStrategy);
    //...
  }
}

Using Passport-based Strategies

The earlier version of @loopback/authentication is based on an expressmiddleware called passport, which supports 500+ passport strategies forverifying an express app’s requests. In @loopback/authentication@2.0, wedefined our own interface AuthenticationStrategy that describes a strategywith different contracts than the passport strategy, but we still want to keepthe ability to support those existing 500+ community passport strategies.Therefore, we rewrote the adapter class. It now converts a passport strategy tothe one that LoopBack 4 authentication system expects and it was released in anew package @loopback/authentication-passport.

Creating and registering a passport strategy is explained inthe README.md file

The usage of authentication decorator and the change in sequence stay the same.

Managing Custom Authentication Strategy Options

This is an optional step.

If your custom authentication strategy doesn’t require special options, you canskip this section.

As previously mentioned in theUsing the Authentication Decoratorsection, a custom authentication strategy should avoid repeatedly specifying itsdefault options in the @authenticate decorator. Instead, it shoulddefine its default options in one place, and only specify overridingoptions in the @authenticate decorator when necessary.

Here are the steps for accomplishing this.

Define the Options Interface and Binding Key

Define an options interface and a binding key for the default options of thatspecific authentication strategy.

export interface AuthenticationStrategyOptions {
  [property: string]: any;
}
export namespace BasicAuthenticationStrategyBindings {
  export const DEFAULT_OPTIONS = BindingKey.create<
    AuthenticationStrategyOptions
  >('authentication.strategies.basic.defaultoptions');
}

Bind the Default Options

Bind the default options of the custom authentication strategy to theapplication application.ts via theBasicAuthenticationStrategyBindings.DEFAULT_OPTIONS binding key.

In this hypothetical example, our custom authentication strategy has adefault option of gatherStatistics with a value of true. (In a realcustom authentication strategy, the number of options could be more numerous)

export class MyApplication extends BootMixin(
  ServiceMixin(RepositoryMixin(RestApplication)),
) {
  constructor(options?: ApplicationConfig) {
    super(options);
    //...
    this.bind(BasicAuthenticationStrategyBindings.DEFAULT_OPTIONS).to({
      gatherStatistics: true,
    });
    //...
  }
}

Override Default Options In Authentication Decorator

Specify overriding options in the @authenticate decorator only when necessary.

In this example, we only specify an overriding option gatherStatisticswith a value of false for the /scareme endpoint. We use the defaultoption value for the /whoami endpoint.

import {inject} from '@loopback/context';
import {
  AuthenticationBindings,
  UserProfile,
  authenticate,
} from '@loopback/authentication';
import {get} from '@loopback/rest';
export class WhoAmIController {
  constructor(
    @inject(SecurityBindings.USER)
    private userProfile: UserProfile,
  ) {}
  @authenticate('basic')
  @get('/whoami')
  whoAmI(): string {
    return this.userProfile.id;
  }
  @authenticate('basic', {gatherStatistics: false})
  @get('/scareme')
  scareMe(): string {
    return 'boo!';
  }
}

Update Custom Authentication Strategy to Handle Options

The custom authentication strategy must be updated to handle the loading ofdefault options, and overriding them if they have been specified in the@authenticate decorator.

Here is the updated BasicAuthenticationStrategy:

import {
  AuthenticationStrategy,
  UserProfile,
  TokenService,
  AuthenticationMetadata,
  AuthenticationBindings,
} from '@loopback/authentication';
import {Getter} from '@loopback/core';
export interface Credentials {
  username: string;
  password: string;
}
export class BasicAuthenticationStrategy implements AuthenticationStrategy {
  name: string = 'basic';
  @inject(BasicAuthenticationStrategyBindings.DEFAULT_OPTIONS)
  options: AuthenticationStrategyOptions;
  constructor(
    @inject(UserServiceBindings.USER_SERVICE)
    private userService: UserService,
    @inject.getter(AuthenticationBindings.METADATA)
    readonly getMetaData: Getter<AuthenticationMetadata>,
  ) {}
  async authenticate(request: Request): Promise<UserProfile | undefined> {
    const credentials: Credentials = this.extractCredentials(request);
    await this.processOptions();
    if (this.options.gatherStatistics === true) {
      console.log(`\nGathering statistics...\n`);
    } else {
      console.log(`\nNot gathering statistics...\n`);
    }
    const user = await this.userService.verifyCredentials(credentials);
    const userProfile = this.userService.convertToUserProfile(user);
    return userProfile;
  }
  extractCredentials(request: Request): Credentials {
    let creds: Credentials;
    /**
     * Code to extract the 'basic' user credentials from the Authorization header
     */
    return creds;
  }
  async processOptions() {
    /**
        Obtain the options object specified in the @authenticate decorator
        of a controller method associated with the current request.
        The AuthenticationMetadata interface contains : strategy:string, options?:object
        We want the options property.
    */
    const controllerMethodAuthenticationMetadata = await this.getMetaData();
    if (!this.options) this.options = {}; //if no default options were bound, assign empty options object
    //override default options with request-level options
    this.options = Object.assign(
      {},
      this.options,
      controllerMethodAuthenticationMetadata.options,
    );
  }
}

Inject default options into a property options using theBasicAuthenticationStrategyBindings.DEFAULT_OPTIONS binding key.

Inject a getter named getMetaData that returns AuthenticationMetadatausing the AuthenticationBindings.METADATA binding key. This metadata containsthe parameters passed into the @authenticate decorator.

Create a function named processOptions() that obtains the default options, andoverrides them with any request-level overriding options specified in the@authenticate decorator.

Then, in the authenticate() function of the custom authentication strategy,call the processOptions() function, and have the custom authenticationstrategy react to the updated options.

Summary

We’ve gone through the main steps for adding authentication to your LoopBack 4application.

Your application.ts should look similar to this:

import {
  AuthenticationComponent,
  registerAuthenticationStrategy,
} from '@loopback/authentication';
export class MyApplication extends BootMixin(
  ServiceMixin(RepositoryMixin(RestApplication)),
) {
  constructor(options?: ApplicationConfig) {
    super(options);
    /* set up miscellaneous bindings */
    //...
    // load the authentication component
    this.component(AuthenticationComponent);
    // register your custom authentication strategy
    registerAuthenticationStrategy(this, BasicAuthenticationStrategy);
    // use your custom authenticating sequence
    this.sequence(MyAuthenticatingSequence);
    this.static('/', path.join(__dirname, '../public'));
    this.projectRoot = __dirname;
    this.bootOptions = {
      controllers: {
        dirs: ['controllers'],
        extensions: ['.controller.js'],
        nested: true,
      },
    };
  }

You can find a completed example and tutorial of a LoopBack 4 shoppingcart application with JWT authenticationhere.