Describe the bug
If Passport Local Strategy detect a non existant user, loopback should throw an error like : {message : string, name:string, statusCode:number}.
Or, this is not the case. The passport strategy error throw is {message : {message:string}, name:string, statusCode:number}.
To Reproduce
Steps to reproduce the behavior:
Submit a non existant user to authentify, using passport Local strategy. It should throw a error.
Expected behavior
If Passport Strategy detect an inexistant user, loopback should throw an error like : {message : string, name:string, statusCode:number}.
The error seem localized in the strategy-adapter.ts line 58, where the expect object is a string, and receive an object HTTPError.
Or, the problem could be the LocalPasswordVerifyProvider which does not catch the repository.verifyPassword's HttpError to convert it to error:string.
Screenshots
If applicable, add screenshots to help explain your problem.
![error1](https://user-images.githubusercontent.com/46076080/119388875-292b0400-bccb-11eb-8fc4-86b47c2fe112.png)
The received error is
![error2](https://user-images.githubusercontent.com/46076080/119389068-655e6480-bccb-11eb-8c86-b821326e8747.png)
Additional context
Below my corrected LocalPasswordVerifyProvider, modified to return a string in case of error.
So, my suggestion is to :
- adapt the strategy-adapter.ts
- or : update the LocalPasswordVerifyProvider with a try/catch, and rethrow a string error.
export class LocalPasswordVerifyProvider
implements Provider<VerifyFunction.LocalPasswordFn> {
constructor(
@repository(UserRepository) public userRepository: UserRepository,
) { }
value(): VerifyFunction.LocalPasswordFn {
return async (username: any, password: any) => {
try {
const user: AuthUser = new AuthUser(
await this.userRepository.verifyPassword(username, password),
);
user.permissions = [];
user.tenant = new Tenant({ id: user.defaultTenant });
return user;
} catch (error) {
// eslint-disable-next-line no-prototype-builtins
if (HttpErrors.HttpError.prototype.isPrototypeOf(error)) {
throw error.message;
} else {
throw new HttpErrors.Unauthorized(AuthErrorKeys.InvalidCredentials).message;
}
}
};
}
}