Authorization decoration of generated/dynamic CRUDRestControllers - is it in anyway possible?

[roberttaylortech]

How can we best tap into the potential of generated CrudRestControllers while also achieving great authorization? Is there a way?

Wondering if anybody in the community has any experience or guidance on how one could use
Authorization decorators (or any custom decoration?)(https://loopback.io/doc/en/lb4/Decorators_authorize.html) on generated CrudRestControllers/endpoints? (https://loopback.io/doc/en/lb4/Creating-crud-rest-apis.html).

Looked at the src for crud-rest.controller.ts and it just seems like there is no way to really do it.

It seems like it's not easily possible to use any decoration of endpoints in a CrudRestController without taking a very hacky approach and/or wholesale duplicating the code in crud-rest.controller.ts and that we'll have to basically write every endpoint for every model by hand.

Maybe someone has come up with something or has some guidance on an approach? Is the only way to use auth with CrudRestController with the AuthorizationComponent as of now to use Authorizer functions (https://loopback.io/doc/en/lb4/Authorization-component-authorizer.html)

Thanks to all! :)

[achrinza]

There was some prior discussion if we wanted to expand the API of @loopback/rest-crud: #6086.

Generally, there's been no consensus on this matter as the JSON-style API itself is quite opinionated (i.e. Not as flexible as full-blown Controllers), which was a similar issue seen in LoopBack 3.

The discussion was a while back, so it could be a good opportunity to revisit; Though the problems stated by #6086 (comment) are still open.

[roberttaylortech]

@achrinza thanks much for pointing out #6806 very helpful! :)

I think it would be great to have this perspective added to the documentation: "The idea behind rest-crud is to allow users to quickly scaffold the default REST API. If your project has outgrown the default REST API shape, then I recommend to use lb4 repository and lb4 controller instead. " (i.e. it's just for quickly scaffolding an example API and that if you need to decorate, remove or methods, or really do anything you probably really need, then you should use lb4 repository and lb4 controller to generate great a baseline controller and customize from there.

Will also have to start thinking about what a good design might look like for a forked @loopback/rest-crud that supports more flexible extension/customization.

Would love to hear more comments and ideas from others!