A loopback-next extension for authentication feature. Oauth strategies supported.
Home Page: https://www.npmjs.com/package/loopback4-authentication
License: MIT License
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Describe the bug
loopback version update.
Shouldn't the ClientAuthCode be a number or a string?
How can I use it with a use that has a UUID as a primary key?
loopback4-authentication/src/types.ts
Line 37 in 765e812
Thanks!
New strategy will be added for SAML authentication similar to previous strategies that have been added before.
Describe the bug
This issue is supposed to be used for all deps update and chore PRs.
Describe the bug
The library currently uses the passport-apple which is not maintained anymore. It's better to move to some better maintained library like https://www.npmjs.com/package/apple-signin-auth.
Describe the bug
remove all current vilnenrability of loopback4-authentication
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Hello,
For my public controller, I need to know if the user is authenticated.
So, in the controller's constructor I use the line below:
@Inject(AuthenticationBindings.CURRENT_USER) private readonly user: AuthUser | undefined,
But,the value is always undefined.
I discovered I needed to set an @authenticate(xxxxx) if i wanted to get the correct value.
However, if I set a @authenticate, access to the route MUST be authenticated. But i just want it optional.
How can I get the current user (if authenticated) ?
Thank you for your help.
Arnaud
Describe the bug
The library currently uses the passport-keycloak which is not maintained anymore. It's better to move to some better maintained library like https://github.com/keycloak/keycloak-nodejs-connect.
Is your feature request related to a problem? Please describe.
Adding semantic release for automatic release of packages.
Describe the solution you'd like
Using npm semantic-release
Describe alternatives you've considered
Additional context
Describe the bug
The vendor files for passport apple should be a part of package.json to be a part of package.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Vendor files shoudl also be a part of the the package
Is your feature request related to a problem? Please describe.
Need a login functionality similar to Google/Instagram OAuth login.
Describe the bug
Changes for semantic-release
To Reproduce
Steps to reproduce the behavior:
when dependencies are updated with chore type new version is not released
Expected behavior
when dependencies are updated with chore type new version must be released
Is your feature request related to a problem? Please describe.
Using last dependency version of loopback, with @loopback/[email protected], we can't do "npm install loopback4-authentication" because of an error : "unable to resolve dependency tree". Authentication's request loopback/rest@^9.3.0.
Describe the solution you'd like
Loopback4-authentication should be updated to use the lastest version of @loopback/[email protected],
Describe alternatives you've considered
Not using the lastes version of loopback4
Additional context
n/a
Describe the bug
passport-apple package should use a local vendor folder instead of a git fork as it requires installation of git even when it is not required.
Expected behavior
We should not be required to install git to use this package
If I had downloaded and implemented this before google auth and usercredentials and auth provider were added to it, is it possible to now allow users to use their google sign in to use the app? What exactly would I need to add or change? Also, would the user be stored in the database if they authenticate with google?
Describe the bug
I followed the instructions for loopback4-authentication and when I run the loopback server, it starts, but when I try to go to the actual page on the web, I get the error:
500 Error: The key 'sf.passport.verifier.oauth2ClientPassword' is not bound to any value in context application
at MealPlanApplication.getBinding (/Users/me/Desktop/folder/folder/node_modules/@loopback/context/dist/context.js:503:15)
I'm not sure how to fix/what is wrong exactly.
Description / Steps to reproduce / Feature proposal
I tried following the example mentioned in https://www.npmjs.com/package/loopback4-authentication to get http-bearer configured.
Here is my simple project on Github: https://github.com/sherif2011/lb4_token
Current Behavior
When I run and try accessing localhost:3000, I get "500 JsonWebTokenError: jwt must be a string"
Expected Behavior
Expected to be able to access explorer and when I try to ping, would get an error: Unauthorized
Thank you!
Sherif
Describe the bug
The verifier type for Azure AD is not similar to other verifier functions.
The verifier type is missing access token and refresh token
Expected behavior
Should have access token and refersh token like others
Describe the bug
Test case coverage missing and not up to the mark
To Reproduce
We should have at least 75% unit test case coverage for this package.
Describe the solution you'd like
A Passport Strategy for 2 Factor Authentication.
Describe the bug
loopback version update
Is your feature request related to a problem? Please describe.
As Action-based sequence is now being phased out, we need to use middleware-based sequence.
This need some refactoring of the providers.
According to lb4 doc, https://loopback.io/doc/en/lb4/Sequence.html, sequence action will be deprecated.
Describe the solution you'd like
The same package but loaded as middleware :)
Describe alternatives you've considered
None
Additional context
I will try to help, but my knowledge in this area is limited :/
Describe the bug
Currently all the passport packages are installed for all the users, this should not happen ideally.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Only the packages required by the user should be installed
Describe the bug
The changelog is not genearted properly.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
All the formatting should be proper
Screenshots
Describe the bug
Fix the sonar code quality issues.
Screenshots
If applicable, add screenshots to help explain your problem.
Refer
https://sonarcloud.io/project/issues?resolved=false&types=BUG&id=sourcefuse_loopback4-authentication
https://sonarcloud.io/project/issues?resolved=false&types=CODE_SMELL&id=sourcefuse_loopback4-authentication
Describe the bug
There are duplicate code blocks in action and middleware providers.
Is your feature request related to a problem? Please describe.
Need a login functionality similar to Google/Facebook OAuth login.
Describe the bug
Loopback version updates
Describe the bug
When a user enter wrong password it shows Invalid redentials instead of Invalid Credentials in version 1.1.1
Describe the bug
loopback version update
Describe the bug
Latest version passport-apple depends on vulnerable version of [email protected]
To Reproduce
Steps to reproduce the behavior:
Expected behavior
npm audit should have 0 vulnerabilities.
Is your feature request related to a problem? Please describe.
There should be a binding for User Model, which will be used for retrieving all the lost properties/methods of User while creating user Object from its jwt-token (as in Bearer Strategy).
If the refresh token expires, should logout be called? Even though it requires an access token?
Describe the bug
If Passport Local Strategy detect a non existant user, loopback should throw an error like : {message : string, name:string, statusCode:number}.
Or, this is not the case. The passport strategy error throw is {message : {message:string}, name:string, statusCode:number}.
To Reproduce
Steps to reproduce the behavior:
Submit a non existant user to authentify, using passport Local strategy. It should throw a error.
Expected behavior
If Passport Strategy detect an inexistant user, loopback should throw an error like : {message : string, name:string, statusCode:number}.
The error seem localized in the strategy-adapter.ts line 58, where the expect object is a string, and receive an object HTTPError.
Or, the problem could be the LocalPasswordVerifyProvider which does not catch the repository.verifyPassword's HttpError to convert it to error:string.
Screenshots
If applicable, add screenshots to help explain your problem.
The received error is
Additional context
Below my corrected LocalPasswordVerifyProvider, modified to return a string in case of error.
So, my suggestion is to :
export class LocalPasswordVerifyProvider
implements Provider<VerifyFunction.LocalPasswordFn> {
constructor(
@repository(UserRepository) public userRepository: UserRepository,
) { }
value(): VerifyFunction.LocalPasswordFn {
return async (username: any, password: any) => {
try {
const user: AuthUser = new AuthUser(
await this.userRepository.verifyPassword(username, password),
);
user.permissions = [];
user.tenant = new Tenant({ id: user.defaultTenant });
return user;
} catch (error) {
// eslint-disable-next-line no-prototype-builtins
if (HttpErrors.HttpError.prototype.isPrototypeOf(error)) {
throw error.message;
} else {
throw new HttpErrors.Unauthorized(AuthErrorKeys.InvalidCredentials).message;
}
}
};
}
}
Please can you tell me how to run it in my local System and also Please can you tell me how to use it like I want to learn how to add Role-based access feature in the loopback app?
Or can you give some simple example which demonstrates this...
Describe the bug
Loopback version update
Describe the bug
Currently the issues and PR never closed even if inactive.
They should be closed automatically.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Inactive issues/Pr should be closed automatically.
Is your feature request related to a problem? Please describe.
Right now the changelog created for releases is not well in detail and informative.
Request to generate detailed changelog.
Describe the solution you'd like
Can use different npm packages available
Also update all the loopback packages
Describe the bug
need to fix vulnerability
Describe the bug
The AuthUser model should not be strict. As when we send extra properties to it those are ignored.
make strict = false
To Reproduce
Steps to reproduce the behavior:
When additional fields are sent as a part of jwt token they are not a part of current user.
Expected behavior
Should allow extra fields as well
Describe the bug
Loopback version update
Is your feature request related to a problem? Please describe.
I want to use email instead of a username with a password.
Describe the solution you'd like
Something like this https://github.com/jaredhanson/passport-local#parameters
Is your feature request related to a problem? Please describe.
Client Secret was mandatory for both type of clients- public and confidential. but public client wouldn't require secret to get login. Secret is mandatory only for confidential client and public client can now login without secret.
Describe the solution you'd like
we allow public client to get login without client secret and confidential client need to pass their secret along with request to get login.
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Describe the bug
In our project we have a requirement to use Google login for user authentication
In our application, we are using loopback in the backend and planning for using Google Auth for logged users. So currently this package does not have Google authentication strategy. So it's good if we have this feature.
New strategy will be added for SAML authentication similar to previous strategies that have been added before.
Is your feature request related to a problem? Please describe.
Make Client Secret Non Mandatory For Public Clients (Non Blocking Changes)
Describe the solution you'd like
Make Client Secret Non Mandatory For Public Clients (Non Blocking Changes)
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem? Please describe.
My cron job execute many operations on behalf of itself (with its own username), or for user. Actions done on repository must be loggued. So, I would like to authenticate my cron jobs.
Describe the solution you'd like
Cron jobs doesn't go through sequence, so existing implementation does not well. I need CronJob to be able to impersonate a user that can work with DefaultUserModifyCrudRepository, so operations done by the job can be logged
The crontab should know its username:
Describe alternatives you've considered
For now, I can't use DefaultUserModifyCrudRepository with my cronjobs :(, as this Crud need a AuthUser to work.
Additional context
It is probably not a big deal, I tried to mess with Binding & Context, to set manually an AuthUser. However, I'm not skilled enough on these functionalities :( .
Description
The README talks about implementing Http-bearer strategy that seems to have some missing imports (RevokedTokenRepository) for the BearerTokenVerifyProvider example. I eventually found them in the starter project repo but thought, for posterity, it would be nice to have those imports mentioned and linked to either examples or illustrated before they are used. I, so far, was able to follow along and get things to work but got stuck here for a bit. Other wise this is a great tutorial, I love it! :)
Describe the bug
After successful authentication from keycloak, not able to receive role as a part of keycloak user's profile.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Profile must return roles as well as all other user data along with it.
Screenshots
Additional context
The passport-keycloak library returns limited user information. The information scope must be increased
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.