Skip to content

CodeCoupler API Auth

CodeCoupler API Auth is as authentication and authorization component for Loopback.

Integrating this component you can add to each controller method an @authenticate('jwt') decorator to restrict the access to users which are listed in a separated authentication database.

Additionally you can add an @authorize(allowedRoles:[...],scopes:[...],disallowedRoles:[...]) decorator to restrict the access only to users with specific roles or permissions.

Your API will include the endpoints /auth/login, /auth/logout and /auth/me to login, logout and get the current user informations.

Furhermore there are a lot endpoints like /auth/user or /auth/roles to manage the authentication database. These endpoints are only accessible for users with the permission admin.users.

The authentication database structure allows you to add users, roles and permisssions. User can have multiple roles and roles can have multiple permissions. Furthermore you can allow and disallow permissions directly for specific users.

After succeful login you will get an response with a token, which will additionally try to be saved in a cookie1. The following requests can use this cookie or (if not possible or not wanted) can use the token in a Bearer Header.

If using the cookie for the authentication handling, the cookie will be refreshed on each request and thus the expiration will automatically be extended. You can also disable the cookie refresh if you send an header no-session-refresh: 1.


  1. Why Store JWT in Cookies: [https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage]