Questions about authentication & ACL

[Cadrach]

Hi,

I have a few questions about authentication:

I have model A and A hasMany B. Also, A has a property "users" which holds links to users that should be able to access it. How can I configure B, so that it can be read & written only by users allowed to A? Example high level code:

A.hasMany('b', {model: B});
A.hasMany('users', {model: User});

I am a bit lost for this: should I DENY all in B, and work only with hooks? But it looks like hooks only work with remote methods, so how can I protect B so that it can be listed with A only if User is in A.users?

[Cadrach]

Just saw that hooks work with pre-defined method. I will work from here but input still appreciated

[Cadrach]

I am trying to add a remote method to the User, but since I am extending the base User model, I cannot access it, I have tried adding the access through ACL.create, but to no avail.

var db = require('../data-sources/db');
var loopback = require('loopback');
var ACL = loopback.ACL;

// define a User model
var User = loopback.User.extend('User',{

});

// attach to the memory connector
User.attachTo(db);

User.findByUsername = function(username, callback){
    console.log('FIND BY USERNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAME');
}

//Link remote methods
loopback.remoteMethod(
    User.findByUsername,
    {
        accepts: {arg: 'username', type: 'string'},
        returns: {arg: 'users', type: 'object'},
        http: {path: '/findByUsername', verb: 'get'}
    }
);

ACL.create( {
    accessType: ACL.ALL,
    permission: ACL.ALLOW,
    principalType: ACL.ROLE,
    principalId: '$everyone',
    model: User,
    property: User.findByUsername
});

What am I doing wrong?

[bajtos]

Hi @Cadrach, the code in your last comment describes only the setup, not the actual call of the findByUsername method. How did you called it and what error did you received?

[bajtos]

I don't know enough about ACLs to answer you original question, we'll have to wait for @ritch.

[raymondfeng]

The ACL create should be:

ACL.create( {
    accessType: ACL.ALL,
    permission: ACL.ALLOW,
    principalType: ACL.ROLE,
    principalId: '$everyone',
    model: 'User', // Name of the model
    property: 'findByUsername' // Name of the property/method
}, callback);

[Cadrach]

@bajtos Thanks anyways :)
@raymondfeng It did the trick, thanks! I will leave the issue open a bit and post again if I get stuck.

For anyone having the same kind of issue: I ran the request through the built in explorer, and also through the generated angular JS. In fact since it is a GET I can run it though the browser and get the same return, here it is :

{
  "error": {
    "name": "Error",
    "status": 401,
    "message": "Access Denied",
    "statusCode": 401,
    "stack": "Error: Access Denied
    at node_modules/loopback/lib/application.js:298:21
    at node_modules/loopback/lib/models/acl.js:463:17
    at node_modules/loopback/lib/models/acl.js:426:19
    at node_modules/async/lib/async.js:232:13
    at node_modules/async/lib/async.js:119:25
    at node_modules/async/lib/async.js:24:16
    at node_modules/async/lib/async.js:229:17
    at node_modules/async/lib/async.js:516:34
    at node_modules/loopback/lib/models/acl.js:410:15
    at node_modules/loopback/lib/models/role.js:184:19"
  }
}

[Cadrach]

Ok, so new question :), how can I change the "public" property of a Model from the JS?

var db = require('../data-sources/db');
var config = require('./message.json');
var Message = module.exports = db.createModel(
    'Message',
    config.properties,
    config.options
);
//Now I would like to do something like
Message.setPublic(false);

[raymondfeng]

By default, models are not public unless you (or app.boot()) calls app.model(model).

[Cadrach]

Now that you say it, it seems logical :)

New questions if you do not mind:

• I do not like the fact that I need to expose the User service to take advantage of "login" and "logout", but then the "findById" request returns the hashed password, as you can imagine it does not sit well with me :). How would you go about that: we need the hashed password server side, but we do not want to send it ever, should I do this with hooks too? If so how can the hook get the difference between server & client calls?
• Related to this, I have created a model A that has a "belongsTo" relations with User (to store User registered to this entity). Doing this means that any request which "include" the relations will get the full User information, again with hashed password and email. Do I need a post-hook in "A" to remove the sensible information? (This is quite common in my setup)

[bajtos]

Hi Cadrach, regarding the JSON representation of the User containing password hash: the issue has been already fixed in v1.7.4. See #160 and #217.

[Cadrach]

I updated to 1.7.4 but I still have the issue (I double-checked and the options.hidden modification are indeed in the code):

Participant.belongsTo(User, {
    as: 'user',
    foreignKey: 'userId'
});

I call

http://localhost:3000/api/Participants?filter={"include":"user"}
// Encoded this gives: api/Participants?filter=%7B%22include%22%3A%22user%22%7D

And I get the following (I leave the full id & hash since it is test data):

[
  {
    "id": "533ead93d6d8c95cdcda247e",
    "userId": "53144d4e9e79b6f057ffb9c7",
    "user": {
      "realm": null,
      "username": "a",
      "password": "$2a$10$bh0t7SJCxBkpEkdTh2gvDe4.PDbAxNeWDHZTPRW1Pht17sBEmCYPm",
      "email": "a@a.com",
      "emailVerified": null,
      "verificationToken": null,
      "credentials": [],
      "challenges": [],
      "status": null,
      "created": null,
      "lastUpdated": null,
      "id": "53144d4e9e79b6f057ffb9c7"
    }
  }
]

As a side question, do you know where I can look to get an advanced example of Scope usage, I think this is what I need in my application (Member creates a model instance and has specifics rights on it and its related models)

[bajtos]

@ritch It seems that your fix does not work for nested object, is that possible?

As a side question, do you know where I can look to get an advanced example of Scope usage, I think this is what I need in my application (Member creates a model instance and has specifics rights on it and its related models)

That's a question @raymondfeng can answer best.

[Cadrach]

@raymondfeng I can see you are under heavy load, could you just confirm if the Scope is the right way to look for? As a reminder what I would like to achieve is:
Assign a Role to a User only for a specific model instance, and allow him some higher rights for this instance and its related models instances (For example a forum moderator with moderation rights only on some sub-forums, and their posts).

[raymondfeng]

Scope is basically a predefined query. The filter can be preset by the server code. It can be used to constrain find with ACL.

You can also use custom methods to define high order functions.

Sorry for the late reply as I'm sick out.