Skip to content

Allow tokens with eternal TTL (value -1) #2841

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bajtos merged 1 commit into from
Oct 12, 2016
Merged

Allow tokens with eternal TTL (value -1) #2841

bajtos merged 1 commit into from
Oct 12, 2016

Conversation

@bajtos
Copy link
Member

@bajtos bajtos commented Oct 10, 2016
edited
Loading

  • Add a new User setting allowEternalTokens
  • Enhance AccessToken.validate() to support eternal tokens with ttl value -1 when the user model allows it.

This patch supersedes #1797.

@ritch please review

@bajtos
Allow tokens with eternal TTL (value -1)
6808159 
 - Add a new User setting 'allowEternalTokens'
 - Enhance 'AccessToken.validate' to support eternal tokens with ttl
   value -1 when the user model allows it.
@bajtos bajtos added the #review label Oct 10, 2016
@bajtos bajtos mentioned this pull request Oct 10, 2016
Closed
ritch
ritch approved these changes Oct 11, 2016
View reviewed changes
Copy link
Member

@ritch ritch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@ritch ritch assigned bajtos and unassigned ritch Oct 11, 2016
@bajtos bajtos merged commit 3229fdb into master Oct 12, 2016
@bajtos bajtos removed the #review label Oct 12, 2016
@bajtos bajtos deleted the feature/allow-eternal-access-tokens branch October 12, 2016 10:30
@bajtos bajtos mentioned this pull request Oct 12, 2016
Merged
@josephlaw
Copy link

josephlaw commented Oct 13, 2016
edited
Loading

How to set allowEternalTokens = true?

It is success to add "allowEternalTokens : true" inside options in node_modules/loopback/common/models/user.json, but it fail when add into common/models/user.json.

@bajtos
Copy link
Member Author

bajtos commented Nov 9, 2016

@josephlaw you should create a new model inheriting from the built-in User model. Then you can change the setting in common/my-user.json file.

@Shyri
Copy link

Shyri commented Nov 20, 2016

I couldn't make it work.

Having a custom user model leads the accessToken default model not to find the user relationship at the moment of verifying the token, see how User is undefined in the debug screenshot.
screen shot 2016-11-20 at 12 36 22

@Shyri
Copy link

Shyri commented Dec 5, 2016

@bajtos Any idea why User is undefined in my previous message?

@bajtos
Copy link
Member Author

bajtos commented Dec 5, 2016

@Shyri Any idea why User is undefined in my previous message?

Not really ☹️ Could you please create a small app reproducing the issue (see http://loopback.io/doc/en/contrib/Reporting-issues.html#bug-report) and open a new issue?

@brilvio
Copy link

brilvio commented Dec 8, 2016

It's not passing the validation for me, I have a custom JSON model inherited from built-in model User.

"name": "empresa",
  "base": "User",
  "idInjection": true,
  "options": {
    "validateUpsert": true,
    "allowEternalTokens": true  
  }

The User is defined but User.settings.allowEternalTokens is always undefined :(

@bajtos
Copy link
Member Author

bajtos commented Dec 9, 2016

@brilvio have you updated the configuration of your AccessToken to belongTo your new user model? I think the best way is to create a custom AccessToken model too, see e.g. http://loopbackloops.blogspot.com/ (ignore the last part about overriding AccessToken methods).

@crandmck Google query loopback custom accesstoken model returns the mentioned blog post as the first result, it looks like we may not have this use case documented on loopback.io. Could you PTAL?

@brilvio
Copy link

brilvio commented Dec 9, 2016

@bajtos tried to do what is in the link, new custom model inherited of AccessToken set the relation of this new model to my custom user model as belongTo and now I having this errors AUTHORIZATION_REQUIREDit is like I didn't send the access token at all. Here is the relation in the new model:

"relations": {
    "empresa": {
      "type": "belongsTo",
      "model": "empresa",
      "foreignKey": "userId"
    }
  }

Setting the same relation on the node_modules/loopback/common/models/access-token.jsonfile throws the INVALID_TOKEN because this property is undefined User.settings.allowEternalTokens

@bajtos
Copy link
Member Author

bajtos commented Dec 9, 2016

@brilvio I am afraid I have run out of easy answers. Please open a new issue, provide a sample app reproducing the problem (see http://loopback.io/doc/en/contrib/Reporting-issues.html#bug-report) and include a link to this discussion (#2841) in issue's description.

@brilvio
Copy link

brilvio commented Dec 9, 2016

Thank you for your time. I will do that.

@crandmck crandmck mentioned this pull request Dec 13, 2016
Closed
@crandmck
Copy link
Contributor

crandmck commented Dec 13, 2016

Added it to the reference http://loopback.io/doc/en/lb3/Model-definition-JSON-file.html#advanced-options but we need a more thorough explanation, too.

@jdhrivas
Copy link
Contributor

jdhrivas commented Jan 27, 2017
edited
Loading

@Shyri In my configuration I have extended both the User and AccessToken and I have verified that this feature works.

Here are my settings:

// Extending User model user.json
{
  "name": "user",
  "base": "User",
  "strict": true,
  "idInjection": true,
  "options": {
    "validateUpsert": true,
    "allowEternalTokens": true
  },
 "relations": {
    "accessTokens": {
      "type": "hasMany",
      "model": "accessToken",
      "foreignKey": "userId",
      "options": {
        "disableInclude": true
      }
    }
}
// Note: I'm skipping all my properties, ACL and such. These are the properties that matter for this feature
// Extending AccessToken model access-token.json
{
  "name": "accessToken",
  "plural": "accessTokens",
  "base": "AccessToken",
  "strict": true,
  "idInjection": true,
  "properties": {},
  "validations": [],
  "relations": {
    "user": {
      "type": "belongsTo",
      "model": "user",
      "foreignKey": "userId"
    }
  },
  "acls": [],
  "methods": {}
}

As you can see I have extended both User and AccessToken Model, now when the function AccessToken.prototype.validate is called, User.settings.allowEternalTokens returns true. Without extending AccessToken, User.settings.allowEternalTokens returns false because the AccessToken model is not related to the extended user model where the property allowEternalTokens is set.

@crandmck should the documentation be updated?

@bajtos
Copy link
Member Author

bajtos commented Jan 30, 2017

should the documentation be updated?

Yes please. Would you mind contributing this patch yourself, @jdhrivas? See http://loopback.io/doc/en/contrib/doc-contrib.html to get started.

@jdhrivas
Copy link
Contributor

jdhrivas commented Jan 30, 2017

@bajtos sure I can. This time I'll take a look at the guidelines before any pull request.

@crandmck
Copy link
Contributor

crandmck commented Jan 30, 2017

Awesome! Please make a note in loopbackio/loopback.io#200 when you open a PR... thanks.

@ibrahimahmed-io
Copy link

ibrahimahmed-io commented Feb 14, 2017

You can also add this line in the boot folder if you don't want to create a custom AccessToken model, I tried this and it definitely does the trick.

User.settings.allowEternalTokens = true;

@vladrmnv
Copy link

vladrmnv commented Mar 9, 2017
edited
Loading

@IbrahimAmin Thanks, this works, but I still had to create a "belongsTo" relationship for the AccessToken model :

  1. Add AccessToken model to the model-config.json
  2. Then in a boot script:
module.exports = function (app) {
  const models = app.models;
  const User = models.PUser; // my custom User model
  const AccessToken = models.AccessToken;

// enable eternal tokens
  User.settings.allowEternalTokens = true;
  // Since we are using custom User model, must hack the built-in relations for the AcessToken manually
  AccessToken.belongsTo(User, {foreignKey: 'userId'});
  AccessToken.relations.user = AccessToken.relations.pUser;
  delete AccessToken.relations.pUser;
};

Keep in mind, that if you have included "allowEternalTokens": true in your user model, then User.settings.allowEternalTokens = true; is unnecessary, since it would be already set

@bajtos
Copy link
Member Author

bajtos commented Mar 9, 2017

Thank you @Legited for the instructions.

FWIW, we have updated the documentation for setting up custom user/token models, see http://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html#preparing-access-control-models.

There is no need to manipulate AccessToken relations in a boot script, the relation can be re-configured via server/model-config.json - see http://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html#access-control-with-a-single-user-model

@vladrmnv
Copy link

vladrmnv commented Mar 9, 2017

@bajtos

Thanks, setting up relations in the model-config worker for me

@juancaacuna juancaacuna mentioned this pull request May 30, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ritch ritch ritch approved these changes

Assignees

@bajtos bajtos

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@bajtos @josephlaw @Shyri @brilvio @crandmck @jdhrivas @ibrahimahmed-io @vladrmnv @ritch