not all authentication strategy triggers when applied multple strategies

[rajkaran]

I have implemented multiple authetication strategy but they are acting as OR either of them passes endpoint is accessible. Is there a way I can make it AND logic so that both needs to pass.

@authenticate({strategy: 'accesskey', options: {permission: 'write'}}, {strategy: 'jwt'})

If user provides valid access key but invalid jwt token still gets access to the endpoint. I want to prevent it, user should provide valid access key and jwt token to access resources.
Please suggest how can I acheive this?

I have built JWT authentication strategy following https://loopback.io/doc/en/lb4/Authentication-tutorial.html tutorial
I have built accessKey strategy based on the #9232 conversation

[nflaig]

If user provides valid access key but invalid jwt token still gets access to the endpoint. I want to prevent it, user should provide valid access key and jwt token to access resources.

In that case you need a single authentication strategy which verifies both. The concept of multiple strategies is that you can use different mechanism to authenticate against an endpoint.

You could split them up as well and have jwt as authentication strategy and accesskey as authorization strategy, those would then be evaluated as a logical AND.

[rajkaran]

I have few endpoints which are only authenticating with access key. wheras others are using both.
Your suggestion is I should add access key verification in authorization also to get logical AND?

[nflaig]

You could also just implement a 3rd strategy which combines both strategies.

[rajkaran]

thank you @nflaig I will try that either option.