Is it possible to secure with JWT the endpoints generated with the Loopback v4 REST CRUD model endpoints generator

[dvision1979]

I have generated a Loopback 4 REST API application for CRUD operations against a relational DB, using the REST CRUD model endpoints generator available in Loopback 4: https://loopback.io/doc/en/lb4/Creating-crud-rest-apis.html

Now I trying to secure the endpoints, according to this: https://loopback.io/doc/en/lb4/Authentication-tutorial.html I should add an authenticate decoration to the class exports in the controller definitions. But in my case there is no such definition in my application, besides the one for the user endpoint.

How can I secure with JWT the endpoints generated with the Loopback v4 REST CRUD model endpoints generator?

Thanks for any suggestion.

[mrmodise]

Hi, have a look at the following:

https://loopback.io/doc/en/lb4/Authentication-overview.html

https://github.com/loopbackio/loopback4-example-shopping#authentication

[dvision1979]

Hi @mrmodise and thank you for your answer.
What I don't understand is while the examples in the documentation show how to secure a controller, the REST CRUD model endpoints generator does not expose any controller to be edited. So the question is: where to inject authentication in order to secure the REST CRUD generated endpoints.

[adrienrn]

I'm looking into this very thing as well and I would extend the discussion to authorization as well (since both authentication and authorization relies on annotations for the controller methods).

The following is a working solution but I don't know if it's the favored solution. I'm not part of the loopback team and this has never seen poduction.

From my understanding, @loopback/rest-crud is essentially doing 2 things for us:

1. Giving us a default CRUD controller, so that you don't have to implement each and every one manually;
2. Letting us register controllers using config, shall we say, auto-wiring for the dependency injection layer?

Reading about creating a custom CRUD controller in the README, I thought:

What if I use the package to create my base controller implementation, extend it to add the authenticate decorator(s) and register them myself?

Creating a whatever.controller.ts containing the call :

import { authenticate } from '@loopback/authentication';
import { Filter, repository } from '@loopback/repository';
import { defineCrudRestController } from '@loopback/rest-crud';
import { Whatever } from '../models';
import { WhateverRepository } from '../repositories';

const WhateverController = defineCrudRestController<
  Whatever,
  typeof Whatever.prototype.id,
  'id'
>(Whatever, { basePath: '/whatevers' });

// @authenticate('jwt') <- this works too
class WhateverControllerExtended extends WhateverController {
  constructor(
    @repository(WhateverRepository) protected whateverRepository: WhateverRepository,
  ) {
    super(whateverRepository);
  }

  @authenticate('jwt')
  async find(filter?: Filter<Whatever> | undefined): Promise<Whatever[]> {
    return super.find(filter);
  }
}

export default WhateverControllerExtended;

Registering the controller manually:

Under application.ts:

export class WhateverApplication extends BootMixin(
  ServiceMixin(RepositoryMixin(RestApplication)),
) {
  async boot(): Promise<void> {
    await super.boot();

    this.controller(WhateverControllerExtended);
  }
}

Now, fetching all the whatevers will give me the following:

$ http GET localhost:3000/whatevers
HTTP/1.1 401 Unauthorized
...
{
    "error": {
        "message": "Authorization header not found.",
        "name": "UnauthorizedError",
        "statusCode": 401
    }
}

And, fetching one whatever by id:

$ http GET localhost:3000/whatevers/1
HTTP/1.1 200 OK
{
    "id": 1
}

This is mainly bypassing the auto-wiring as in, I don't have a file under src/model-endpoints for this controller BUT I also leverage the CRUD repository implementation without having to ditch @loopback/rest-crud

[dvision1979]

Hi @adrienrn,

Thank you for sharing your solution. I will give it a try.

Regards ++.