Required to annotate with @authenticate for all the routes!

[vishalvisd]

Current Behavior

I have to annotate all of my controller routes with @authenticate('startegry_name'), but in my case I just have a single strategy and don't like the compulsion of adding the @autheticate annotation to each of my 20-30 routes. Though, one or two routes are there where I don't need any authentication and should be available for public.

Expected Behavior

Would be better if there is a way to have authentication default for all routes except for one or two. IF there is already some sort of way available please let me know what would be that.

Acceptance criteria

• if a method is decorated with @authenticate, the method would use the metadata as is without checking the class
• if a method is not decorated with @authenticate, the method would check the class level
• introduce @authenticate.skip or @authenticate('skip') to exclude a method to inherit @authenticate from the class
• update relevant docs in the site

[dougal83]

except for one or two.

A whitelist effectively? I do think that is a nice to have(if not already). Low priority.

[vishalvisd]

So, is it nice to have all paths which may go up to any number (in my case around 30) and all to be annotated with @authenticate !?. How about the case when there is just one strategy and all the paths (ignore my mention about one or two paths and assume all paths) needs to be authenticated with that strategy

Also, is it good way - for example if for some reason, if someone forget to annotate, than that path will be public.

Unless I missed something, I feel I am asking a very simple question about a common scenario that many will be facing.

[jannyHou]

@vishalvisd I also discussed with team about having a controller class decorator that sets one authentication strategy for all the methods. Will update the progress here when we start, now as a workaround, you can hardcode what strategy to return in the strategy resolver, see this example.

In the example above, the strategy resolver returns the strategy according to a controller function's metadata, in your case you can just ignore the metadata and return the particular strategy you want.

[vishalvisd]

I know about this, but this need to still annotate all routes which I think is not a workaround.

Thanks for taking it up for discussion, hope to see an update on this soon. Loopback is a great framework and I really appreciate the effort you guys are putting into it!