Overview

In every web application, we need to have a way to identify access rights of auser for any resource, which is known as Authorization. This is aminimalistic guide for creating such an implementation using Loopback component.This can be part of your main REST Application project or can be created as aLoopback extension for reuse in multiple projects. Latter is the better optionfor obvious reasons - reusability.

Note:

The LoopBack team is working on making authorization an out-of-the-boxfeature in LoopBack 4. It is a work in progress and will soon be there. Untilthen, this implementation guide can be followed.

The requirement

  • Every protected API end point needs to be restricted by specific permissions.
  • API allows access only if logged in user has permission as per end pointrestrictions.
  • API throws 403 Forbidden error if logged in user do not have sufficientpermissions.
  • Publicly accessible APIs must be accessible regardless of user permissions.
  • Every user has a set of permissions. These permissions may be associated viarole attached to the user or directly to the user.
  • A user can be provided additional permissions or denied some permissions overan above its role permissions. This is considered explicit allow/deny andalways takes precedence while calculating permissions.

Considerations

There are a few considerations that are taken into account before thisimplementation can be done.

  • User authentication is already implemented. You can refer to the@loopback/authenticationguide.
  • As part of authentication, client is sent back a token (JWT or similar) whichclient need to pass in every API request headers thereafter.
  • The authenticate action provider parses the token to return AuthResponseobject.
  • AuthResponse contains the logged in user information including associatedrole details.

The implementation

First, let’s define the types needed for this.

/src/authorization/types.ts

  1. import {PermissionKey} from './permission-key';
  3. /**
  4.  * Authorize action method interface
  5.  */
  6. export interface AuthorizeFn {
  7.   // userPermissions - Array of permission keys granted to the user
  8.   // This is actually a union of permissions picked up based on role
  9.   // attached to the user and allowed permissions at specific user level
  10.   (userPermissions: PermissionKey[]): Promise<boolean>;
  11. }
  13. /**
  14.  * Authorization metadata interface for the method decorator
  15.  */
  16. export interface AuthorizationMetadata {
  17.   // Array of permissions required at the method level.
  18.   // User need to have at least one of these to access the API method.
  19.   permissions: string[];
  20. }
  22. /**
  23.  * User Permission model
  24.  * used for explicit allow/deny any permission at user level
  25.  */
  26. export interface UserPermission {
  27.   permission: PermissionKey;
  28.   allowed: boolean;
  29. }
  31. /**
  32.  * User permissions manipulation method interface.
  33.  *
  34.  * This is where we can add our business logic to read and
  35.  * union permissions associated to user via role with
  36.  * those associated directly to the user.
  37.  *
  38.  */
  39. export interface UserPermissionsFn {
  40.   (
  41.     userPermissions: UserPermission[],
  42.     rolePermissions: PermissionKey[],
  43.   ): PermissionKey[];
  44. }

We define four interfaces.

  • AuthorizeFn - This is going to be the interface for authorization actionbusiness logic.
  • AuthorizationMetadata - This interface represents the information to bepassed via decorator for each individual controller method.
  • UserPermission - This is the interface to be used for associating userlevel permissions. It is actually doing explicit allow/deny at user level,over and above role permissions.
  • UserPermissionsFn - This is going to be the interface for userpermissions manipulation, if required any.The PermissionKey is an enum containing all possible permission keys. Here is asample.

/src/authorization/permission-key.ts

  1. export const enum PermissionKey {
  2.   // For accessing own (logged in user) profile
  3.   ViewOwnUser = 'ViewOwnUser',
  4.   // For accessing other users profile.
  5.   ViewAnyUser = 'ViewAnyUser',
  6.   // For creating a user
  7.   CreateAnyUser = 'CreateAnyUser',
  8.   // For updating own (logged in user) profile
  9.   UpdateOwnUser = 'UpdateOwnUser',
  10.   // For updating other users profile
  11.   UpdateAnyUser = 'UpdateAnyUser',
  12.   // For deleting a user
  13.   DeleteAnyUser = 'DeleteAnyUser',
  15.   // For accessing a role
  16.   ViewRoles = 'ViewRoles',
  17.   // For creating a role
  18.   CreateRoles = 'CreateRoles',
  19.   // For updating a role info
  20.   UpdateRoles = 'UpdateRoles',
  21.   // For removing a role
  22.   DeleteRoles = 'DeleteRoles',
  23. }

Next, we create the binding keys for each type and accessor key for methoddecorator.

/src/authorization/keys.ts

  1. import {BindingKey} from '@loopback/context';
  2. import {MetadataAccessor} from '@loopback/metadata';
  3. import {AuthorizeFn, AuthorizationMetadata, UserPermissionsFn} from './types';
  5. /**
  6.  * Binding keys used by this component.
  7.  */
  8. export namespace AuthorizatonBindings {
  9.   export const AUTHORIZE_ACTION = BindingKey.create<AuthorizeFn>(
  10.     'userAuthorization.actions.authorize',
  11.   );
  13.   export const METADATA = BindingKey.create<AuthorizationMetadata | undefined>(
  14.     'userAuthorization.operationMetadata',
  15.   );
  17.   export const USER_PERMISSIONS = BindingKey.create<UserPermissionsFn>(
  18.     'userAuthorization.actions.userPermissions',
  19.   );
  20. }
  22. /**
  23.  * Metadata accessor key for authorize method decorator
  24.  */
  25. export const AUTHORIZATION_METADATA_ACCESSOR = MetadataAccessor.create<
  26.   AuthorizationMetadata,
  27.   MethodDecorator
  28. >('userAuthorization.accessor.operationMetadata');

Now, we need to create three providers

  • AuthorizationMetadataProvider - This will read the decorator metadatafrom the controller methods wherever the decorator is used.
  • AuthorizeActionProvider - This holds the business logic for accessvalidation of the user based upon access permissions allowed at method levelvia decorator metadata above.
  • UserPermissionsProvider - This is where we can add our business logic toread and unify permissions associated to user via role, with those associateddirectly to the user. In our case, an explicit allow/deny at user level takesprecendence over role permissions. But this business logic may varyapllication to application. So, feel free to customize.

/src/authorization/providers/authorization-metadata.provider.ts

  1. import {
  2.   Constructor,
  3.   inject,
  4.   MetadataInspector,
  5.   Provider,
  6. } from '@loopback/context';
  7. import {CoreBindings} from '@loopback/core';
  9. import {AUTHORIZATION_METADATA_ACCESSOR} from '../keys';
  10. import {AuthorizationMetadata} from '../types';
  12. export class AuthorizationMetadataProvider
  13.   implements Provider<AuthorizationMetadata | undefined> {
  14.   constructor(
  15.     @inject(CoreBindings.CONTROLLER_CLASS)
  16.     private readonly controllerClass: Constructor<{}>,
  17.     @inject(CoreBindings.CONTROLLER_METHOD_NAME)
  18.     private readonly methodName: string,
  19.   ) {}
  21.   value(): AuthorizationMetadata | undefined {
  22.     return getAuthorizeMetadata(this.controllerClass, this.methodName);
  23.   }
  24. }
  26. export function getAuthorizeMetadata(
  27.   controllerClass: Constructor<{}>,
  28.   methodName: string,
  29. ): AuthorizationMetadata | undefined {
  30.   return MetadataInspector.getMethodMetadata<AuthorizationMetadata>(
  31.     AUTHORIZATION_METADATA_ACCESSOR,
  32.     controllerClass.prototype,
  33.     methodName,
  34.   );
  35. }

/src/authorization/providers/authorization-action.provider.ts

  1. import {Getter, inject, Provider} from '@loopback/context';
  3. import {AuthorizatonBindings} from '../keys';
  4. import {AuthorizationMetadata, AuthorizeFn} from '../types';
  6. import {intersection} from 'lodash';
  8. export class AuthorizeActionProvider implements Provider<AuthorizeFn> {
  9.   constructor(
  10.     @inject.getter(AuthorizatonBindings.METADATA)
  11.     private readonly getMetadata: Getter<AuthorizationMetadata>,
  12.   ) {}
  14.   value(): AuthorizeFn {
  15.     return response => this.action(response);
  16.   }
  18.   async action(userPermissions: string[]): Promise<boolean> {
  19.     const metadata: AuthorizationMetadata = await this.getMetadata();
  20.     if (!metadata) {
  21.       return false;
  22.     } else if (metadata.permissions.indexOf('*') === 0) {
  23.       // Return immediately with true, if allowed to all
  24.       // This is for publicly open routes only
  25.       return true;
  26.     }
  28.     // Add your own business logic to fetch or
  29.     // manipulate with user permissions here
  31.     const permissionsToCheck = metadata.permissions;
  32.     return intersection(userPermissions, permissionsToCheck).length > 0;
  33.   }
  34. }

Below is the user permissions manipulation logic. If there is no requirement ofuser level permissions in your application, you can skip the below.

/src/authorization/providers/user-permissions.provider.ts

  1. import {Provider} from '@loopback/context';
  3. import {PermissionKey} from '../permission-key';
  4. import {UserPermission, UserPermissionsFn} from '../types';
  6. export class UserPermissionsProvider implements Provider<UserPermissionsFn> {
  7.   constructor() {}
  9.   value(): UserPermissionsFn {
  10.     return (userPermissions, rolePermissions) =>
  11.       this.action(userPermissions, rolePermissions);
  12.   }
  14.   action(
  15.     userPermissions: UserPermission[],
  16.     rolePermissions: PermissionKey[],
  17.   ): PermissionKey[] {
  18.     let perms: PermissionKey[] = [];
  19.     // First add all permissions associated with role
  20.     perms = perms.concat(rolePermissions);
  21.     // Now update permissions based on user permissions
  22.     userPermissions.forEach((userPerm: UserPermission) => {
  23.       if (userPerm.allowed && perms.indexOf(userPerm.permission) < 0) {
  24.         // Add permission if it is not part of role but allowed to user
  25.         perms.push(userPerm.permission);
  26.       } else if (!userPerm.allowed && perms.indexOf(userPerm.permission) >= 0) {
  27.         // Remove permission if it is disallowed for user
  28.         perms.splice(perms.indexOf(userPerm.permission), 1);
  29.       }
  30.     });
  31.     return perms;
  32.   }
  33. }

Next, we need to expose these providers via Component to be bound to thecontext.

/src/authorization/component.ts

  1. import {Component, ProviderMap} from '@loopback/core';
  2. import {AuthorizatonBindings} from './keys';
  3. import {AuthorizeActionProvider} from './providers/authorization-action.provider';
  4. import {AuthorizationMetadataProvider} from './providers/authorization-metadata.provider';
  5. import {UserPermissionsProvider} from './providers/user-permissions.provider';
  7. export class AuthorizationComponent implements Component {
  8.   providers?: ProviderMap;
  10.   constructor() {
  11.     this.providers = {
  12.       [AuthorizatonBindings.AUTHORIZE_ACTION.key]: AuthorizeActionProvider,
  13.       [AuthorizatonBindings.METADATA.key]: AuthorizationMetadataProvider,
  14.       [AuthorizatonBindings.USER_PERMISSIONS.key]: UserPermissionsProvider,
  15.     };
  16.   }
  17. }

You can see that we have used the same binding keys which we created earlier.

Now, its time to create our method decorator function. Here it is. We will beusing the same metadata accessor key which we created earlier and the metadatainterface for accessing the data in decorator.

/src/authorization/decorators/authorize.decorator.ts

  1. import {MethodDecoratorFactory} from '@loopback/core';
  2. import {AuthorizationMetadata} from '../types';
  3. import {AUTHORIZATION_METADATA_ACCESSOR} from '../keys';
  5. export function authorize(permissions: string[]) {
  6.   return MethodDecoratorFactory.createDecorator<AuthorizationMetadata>(
  7.     AUTHORIZATION_METADATA_ACCESSOR,
  8.     {
  9.       permissions: permissions || [],
  10.     },
  11.   );
  12. }

For error handling keys, lets create an enum.

/src/authorization/error-keys.ts

  1. export const enum AuthorizeErrorKeys {
  2.   NotAllowedAccess = 'Not Allowed Access',
  3. }

Finally, we put everything together in one index file.

/src/authorization/index.ts

  1. export * from './component';
  2. export * from './types';
  3. export * from './keys';
  4. export * from './error-keys';
  5. export * from './permission-key';
  6. export * from './decorators/authorize.decorator';
  7. export * from './providers/authorization-metadata.provider';
  8. export * from './providers/authorization-action.provider';
  9. export * from './providers/user-permissions.provider';

That is all for the authorization component. You can create all of the aboveinto a loopback extension as well. Everything remains the same. Refer to theextension generator guide for creating an extension.

Usage

In order to use the above component into our REST API application, we have a fewmore steps to go.

  • Add component to application.

/src/application.ts

  1. this.component(AuthenticationComponent);
  • Add permissions array to the role model.

/src/models/role.model.ts

  1. @model({
  2.   name: 'roles',
  3. })
  4. export class Role extends Entity {
  5.   // .....
  6.   // other attributes here
  7.   // .....
  9.   @property.array(String, {
  10.     required: true,
  11.   })
  12.   permissions: PermissionKey[];
  14.   constructor(data?: Partial<Role>) {
  15.     super(data);
  16.   }
  17. }
  • Add user level permissions array to the user model. Do this if there is a usecase of explicit allow/deny of permissions at user-level in the application.You can skip otherwise.

/src/models/user.model.ts

  1. @model({
  2.   name: 'users',
  3. })
  4. export class User extends Entity {
  5.   // .....
  6.   // other attributes here
  7.   // .....
  9.   @property.array(String)
  10.   permissions: UserPermission[];
  12.   constructor(data?: Partial<User>) {
  13.     super(data);
  14.   }
  15. }
  • Add a step in custom sequence to check for authorization whenever any endpoint is hit.

/src/sequence.ts

  1. import {inject} from '@loopback/context';
  2. import {
  3.   FindRoute,
  4.   getModelSchemaRef,
  5.   InvokeMethod,
  6.   ParseParams,
  7.   Reject,
  8.   RequestContext,
  9.   RestBindings,
  10.   Send,
  11.   SequenceHandler,
  12.   HttpErrors,
  13. } from '@loopback/rest';
  14. import {AuthenticationBindings, AuthenticateFn} from './authenticate';
  15. import {
  16.   AuthorizatonBindings,
  17.   AuthorizeFn,
  18.   AuthorizeErrorKeys,
  19. } from './authorization';
  21. const SequenceActions = RestBindings.SequenceActions;
  23. export class MySequence implements SequenceHandler {
  24.   constructor(
  25.     @inject(SequenceActions.FIND_ROUTE) protected findRoute: FindRoute,
  26.     @inject(SequenceActions.PARSE_PARAMS) protected parseParams: ParseParams,
  27.     @inject(SequenceActions.INVOKE_METHOD) protected invoke: InvokeMethod,
  28.     @inject(SequenceActions.SEND) public send: Send,
  29.     @inject(SequenceActions.REJECT) public reject: Reject,
  30.     @inject(AuthenticationBindings.AUTH_ACTION)
  31.     protected authenticateRequest: AuthenticateFn,
  32.     @inject(AuthorizatonBindings.USER_PERMISSIONS)
  33.     protected fetchUserPermissons: UserPermissionsFn,
  34.     @inject(AuthorizatonBindings.AUTHORIZE_ACTION)
  35.     protected checkAuthorization: AuthorizeFn,
  36.   ) {}
  38.   async handle(context: RequestContext) {
  39.     try {
  40.       const {request, response} = context;
  41.       const route = this.findRoute(request);
  42.       const args = await this.parseParams(request, route);
  43.       // Do authentication of the user and fetch user permissions below
  44.       const authUser: AuthResponse = await this.authenticateRequest(request);
  45.       // Parse and calculate user permissions based on role and user level
  46.       const permissions: PermissionKey[] = this.fetchUserPermissons(
  47.         authUser.permissions,
  48.         authUser.role.permissions,
  49.       );
  50.       // This is main line added to sequence
  51.       // where we are invoking the authorize action function to check for access
  52.       const isAccessAllowed: boolean = await this.checkAuthorization(
  53.         permissions,
  54.       );
  55.       if (!isAccessAllowed) {
  56.         throw new HttpErrors.Forbidden(AuthorizeErrorKeys.NotAllowedAccess);
  57.       }
  58.       const result = await this.invoke(route, args);
  59.       this.send(response, result);
  60.     } catch (err) {
  61.       this.reject(context, err);
  62.     }
  63.   }
  64. }

Now we can add access permission keys to the controller methods using authorizedecorator as below.

  1. @authorize([PermissionKey.CreateRoles])
  2. @post(rolesPath, {
  3.   responses: {
  4.     [STATUS_CODE.OK]: {
  5.       description: 'Role model instance',
  6.       content: {
  7.         [CONTENT_TYPE.JSON]: {schema: getModelSchemaRef(Role)}},
  8.       },
  9.     },
  10.   },
  11. })
  12. async create(@requestBody() role: Role): Promise<Role> {
  13.   return this.roleRepository.create(role);
  14. }

This endpoint will only be accessible if logged in user has permission‘CreateRoles’.