How do you get "req.accessToken"? How do you make that "accessToken" is a prop of "req"?
wzup opened this issue · 10 comments
So you have this line in your example:
if (!req.accessToken) return res.sendStatus(401);
link: https://github.com/strongloop/loopback-example-user-management/blob/master/server/boot/routes.js#L45
Ok, looks fine. But how do you push the accessToken into req so that the accessToken can be checked out that way?
In your login route I only see this. You only return the accessToken on the client:
res.render('home', {
email: req.body.email,
accessToken: token.id
});
link https://github.com/strongloop/loopback-example-user-management/blob/master/server/boot/routes.js#L36
And what does happen then? How the accessToken is a property of req, req.accessToken?
Anybody has the answer for this question? I'm asking the same issue
The same question here.
Same here...
See https://github.com/strongloop/loopback-example-user-management/blob/master/server/views/home.ejs#L4.
It's been awhile since I wrote this, but I believe when you set enableAuth() (https://github.com/strongloop/loopback-example-user-management/blob/master/server/boot/authentication.js#L3), LoopBack will automatically parse access_token from the query string (https://github.com/strongloop/loopback-example-user-management/blob/master/server/views/home.ejs#L4).
@richardpringle Can you update the README in this example with the steps/reasoning for this? Ping me on Slack for more info.
@wzup @0x7b1 @smirnovshina @talpasco Can one of you guys confirm what I described by disabling enableAuth()? Once confirmed, I will get our doc guy to update the official documentation at docs.strongloop.com.
@wzup, @0x7b1, @smirnovshina, @talpasco
Sorry about the delayed response! For future reference, go to one of the following places to get help from the community:
- Google Groups
- StackOverflow
- Gitter (supported, but we prefer posting to Google Groups so others may benefit from the discussions)
But I also have an answer for you! @superkhau is right, enableAuth() enables app-wide authentication. You can also use the loopback.token() built-in middleware to pull the hashed access_token string out of the query string as well .
Either way, a middleware handling function will take the hashed string and use it to find the access token model instance (remember that the access token is a model itself) as the hashed string is the accessToken.id. This access token instance also belongs to a user instance, so it will contain a userId as well. The middleware function appends the access token instance to req.accessToken.
I believe that using enableAuth() adds the described middleware handling function at the routes phase. If you use loopback.token() middleware, you can place it in any of the LoopBack middleware phases. See the Defining Middleware docs for more details.
@superkhau, I'm not going to update the readme. The authentication boot script comes with any app created by generator-loopback by default (see predefined bootscripts), you don't touch the file if you build the tutorial code from scratch.
Closing.
@richardpringle I mean we should explain why the magic happens in a sidenote in the README. Basically we should combine my answer and ur answer to a sidenote section explaining why they get a token. It doesn't matter if we don't touch the file, the end user sitll needs to know why they get a token.
@superkhau, proposed changes in #35. Please make any modifications directly on the branch and merge.
i have found the access_token, header Authentication, and query request are not working. it failed to find the token id or the token key.
Hey @jjhesk, can you submit a new issue? Along with the new issue, it would be great if you could for the repo and add the code so that we can just clone your fork to reproduce the issue.
Thanks in advance!