Authentication Package

[ritch]

Closes #136, closes #142, closes #150, closes #145, closes strongloop-internal/scrum-asteroid#164, closes strongloop-internal/scrum-asteroid#165, closes strongloop-internal/scrum-asteroid#166, closes #270, closes #271, closes #272, closes #273, closes #274, closes #275, closes #276

Support basic auth via pluggable Passport strategies

• Add authentication to example Example of Authentication Package #145 @rashmihunt
• Express compatibility Express-middleware compatibility #136 @deepak
• @authenticate implementation @authenticate implementation #150 @siddhi @mahesh
• need @Inject support in toDynamicValue need @inject support in toDynamicValue #229
• need a core binding for controllerClass : Constructor DO NOT MERGE: Feature/controller and op bindings #235 @mahesh
  • eg. requestContext.bind('controllerClass').to(ctor); // ctor => controller class
• @inject support for ctor args @inject support for ctor args #142 @bajtos
• need a core binding for methodToInvoke : string
  • https://github.com/strongloop/loopback-next/blob/master/packages/loopback/lib/router/SwaggerRouter.ts#L186
  • pass arg to controllerFactory
• need a way to export and import these bindings (design)
• implementation of export / import in the authentication package
• need @inject support in toDynamicValue #229 Core binding for controllerClass : Constructor #231 Design: Import/export bindings from a component #232 Import/export a binding in a component #234
• OAuth2 Strategy support for the authentication package OAuth2 Strategy support for the authentication package #230
• Implement @injectSend Implement @injectSend #270
• Implement @injectReject Implement @injectReject #274

//
//  Basic psuedo implementation of the auth extension
// 

app.bind('authentication.user').toDynamicValue((
  @inject('authentication.required') required,
  @inject('http.request') req,
  @inject('authentication.strategy') strategy
) => {
  const user = await strategy.getAuthenticatedUser(req);

  if (required && !user) throw createAuthError()

  return user;
});

app.bind('authentication.required').toDynamicValue((
  @inject('controllerClass') controllerClass
  @inject('router.methodToInvoke') methodToInvoke
) => {
  return isRequired(controllerClass, methodToInvoke);
});

const authenticate = () => {
  // use Reflect.defineMeta
}

[kesavkolla]

Is it possible to bring in external auth and authz models? IMO integration with auth0 or keycloak etc... should be accomodated easily

[ritch]

What bindings do we need?

• @siddhipai / @mpatsute authentication.required => boolean, is an authentic set of credentials required?
• @deepakrkris @rashmihunt authentication.userId =>
• @deepakrkris @rashmihunt authentication.user =>
• @deepakrkris @rashmihunt authentication.strategy =>

// application code (user provided)
 ctx.bind('authentication.strategy').to(() => {
    return new Strategy(verify);

    function verify(username, password, cb) {
      cb(null, {username: username});
    }
 });

// authentication package code
ctx.bind('authentication.user').to((
  @inject('authentication.strategy') strategy,
  @inject('http.request') req
) => {
   return Promise((resolve, reject) => {
     const shimReq = createShimReq(req);
     strategy.success = resolve;
     strategy.fail = () => {
       resolve();
     }
     strategy.authenticate(shimReq);
   });
});

[ritch]

@kesavkolla yep... once this is complete you'll be able to use Auth0Strategy from Passport.

[deepakrkris]

since decorators for individual functions are not applicable, a slight change to the bindings will be required, like from @bind function getAuthenticatedUser() {... to export class Bindings { @bind getAuthenticatedUser() {...

[deepakrkris]

acceptance test from Ritchie:

////////// acceptance
import {BasicStrategy} from 'passport-http';
import {authenticate, UserInfo} from '@loopback/authentication';
const app = new Application();
const server = new Server();
const client = new Client(server.url);

@api({
  basePath: '/',
  paths: {
    '/who-am-i': {
      get: {
        'x-operation-name': 'whoAmI',
        responses: {
          '200': {
            type: 'string'
          }
        }
      }
    }
  }
})
class MyController {
  constructor(public @inject('authentication.user') user : UserInfo) {

  }

  @authenticate
  public whoAmI() : string {
    const user = this.user;
    assert(user);
    return user.username;
  }
}

app.controller(MyController);
server.bind('applications.myApp').to(app);

function verifyPassword(storedPassword, providedPassword) {
  // unecrypted password example:
  return storedPassword === providedPassword;
}

const USERS = {
  joe: {username: 'joe', password: '12345'}
};

// my get user function
 app.bind('authentication.strategy').to(() => {
    return new BasicStrategy(verify);

    function verify(username, password, cb) {
      cb(null, {username: username});
    }
 });


// test the app
await server.start();
await client
  .auth({
    username: 'joe',
    password: '123456'
  })
  .get('/who-am-i'); // => joe

await client
  .auth({
    username: 'joe',
    password: 'bad password'
  })
  .get('/who-am-i'); // => 401

await client
  // no auth
  .get('/who-am-i'); // => 401

/////////

//
//  Basic psuedo implementation of the auth extension
// 

// file: loopback-next/packages/authentication/component.ts
import * as bindings from './bindings.ts';
import Component from '@loopback/component';

export class AuthenticationComponent extends Component {
  constructor() {
    this.bindings = bindings;
  }
}

// file: loopback-next/packages/authentication/bindings.ts

@bind('authentication.user')
export const getAuthenticatedUser = (
  @inject('authentication.required') required,
  @inject('http.request') req,
  @inject('authentication.strategy') strategy
) => {
  const user = await strategy.getAuthenticatedUser(req);

  if (required && !user) throw createAuthError()

  return user;
};

@bind('authentication.required')
export const isAuthenticationRequired =(
  @inject('controllerClass') controllerClass
  @inject('router.methodToInvoke') methodToInvoke
) => {
  return isRequired(controllerClass, methodToInvoke);
};

const authenticate = () => {
  // use Reflect.defineMeta
}