How to report HttpErrors.Forbidden from authenticate action

[fiftikhar]

Suggestion
I have implement JWTStrategy
every thing working fine. now I am trying to further authenticate according to user roles
e.g if logged in user is not ADMIN raised HttpErrors.Forbidden error

current strategy-adapter.js code only raise InternalServerError if I pass error in cb() of JWTStrategy

I have changed strategy-adapter.js
reject(new rest_1.HttpErrors.InternalServerError(error)); to
reject(error); and pass
cb(new HttpErrors.Forbidden(), false); in auth-strategy.provides.ts
which working according to my requirement
my question is there best way to implement changes in my code instead of changing in @loopback/authentication module directly

Existing CODE
@loopback/authentication/strategy-adapter.js

strategy.error = function (error) {              
                reject(new rest_1.HttpErrors.InternalServerError(error));
            };

[mrvdot]

The first parameter is reserved only for actual server errors in trying to complete verification, not for invalid/insufficient credentials. If the authentication fails, the second parameter to the callback should be false (i.e. no valid user), and then you can use the third parameter as your error message, e.g.:

cb(null, false, 'User X has insufficient privileges')

That should trigger an Unauthorized error. If it must be a Forbidden error, I'd recommend creating a second SequenceAction that checks permissions after the user is authenticated.

[jannyHou]

@Ghtech We have a PoC PR to implement the jwt auth in the example repository https://github.com/strongloop/loopback4-example-shopping, it's still in progress but we are able to perform the jwt auth on certain endpoint, hope it gives you some hint.