CodeCoupler API Auth
CodeCoupler API Auth is as authentication and authorization component for Loopback.
Integrating this component you can add to each controller method an @authenticate('jwt')
decorator
to restrict the access to users which are listed in a separated authentication database.
Additionally you can add an @authorize(allowedRoles:[...],scopes:[...],disallowedRoles:[...])
decorator to restrict the access only to users with specific roles or permissions.
Your API will include the endpoints /auth/login
, /auth/logout
and /auth/me
to login, logout
and get the current user informations.
Furhermore there are a lot endpoints like /auth/user
or /auth/roles
to manage the authentication
database. These endpoints are only accessible for users with the permission admin.users
.
The authentication database structure allows you to add users, roles and permisssions. User can have multiple roles and roles can have multiple permissions. Furthermore you can allow and disallow permissions directly for specific users.
After succeful login you will get an response with a token, which will additionally try to be saved in a cookie1. The following requests can use this cookie or (if not possible or not wanted) can use the token in a Bearer Header.
If using the cookie for the authentication handling, the cookie will be refreshed on each request
and thus the expiration will automatically be extended. You can also disable the cookie refresh if
you send an header no-session-refresh: 1
.
-
Why Store JWT in Cookies: [https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage] ↩