feat: addition of current user authentication in the request to creat… #71
Conversation
austin047
force-pushed
the
user-order-authentication-with-jwt
branch
from
32bfd3d to
71b5f5f
Compare
| @requestBody() order: Order, | ||
| ): Promise<Order> { | ||
| if (currentUser.id !== userId) { | ||
| throw new HttpErrors.BadRequest( | ||
| `User id does not match looged in user: ${userId} !== ${ |
There was a problem hiding this comment.
User id does not match looged in user:
should be
User id does not match logged in user:
austin047
force-pushed
the
user-order-authentication-with-jwt
branch
9 times, most recently
from
b26c70e to
7da2091
Compare
…e a new order Updated the create order method that handles post request to create a user order to authenticate against the current user before an order can be created, the client will have to pass the authentication token in the request header which will be authenticated before the order is created BREAKING CHANGE: For an order to be created the client must pass the authentication token in the request header, otherwise a 401 Unauthorized error will be generated feat loopbackio#43 Signed-off-by: austin047 <fuhaustin@gmail.com>
Signed-off-by: Raymond Feng <enjoyjava@gmail.com>
Signed-off-by: austin047 <fuhaustin@gmail.com>
jannyHou
force-pushed
the
user-order-authentication-with-jwt
branch
from
7da2091 to
6903c1c
Compare
Signed-off-by: jannyHou <juehou@ca.ibm.com>
There was a problem hiding this comment.
@austin047 Thank you so much for adding the authentication for creating the orders of the logged in user.
I left a few comments and rebased your branch(including some trivial change in the last commit to get tests pass). Let me know if you have any questions.
And would you like to rewrite endpoint GET /orders (returns all orders of the current user) as well?
It's ok to leave it out of the scope of this PR, depends on you 🙂
| @requestBody() order: Order, | ||
| ): Promise<Order> { | ||
| if (currentUser.id !== order.userId) { |
There was a problem hiding this comment.
The rewrite here is different from the expected behaviour:
The expected requirement mentioned here is don't take in userId from request:
@authenticate('jwt')
async createOrder(
@inject('authentication.currentUser') currentUser: UserProfile,
@requestBody() order: Order,
) {
if (!currentUser.id) {
throw new HttpErrors.BadRequest(`No user logged in.`);
}
// The rest of code that creates orders for the logged in user.
}But your logic which compares the logged in user id and the id from query also makes sense to me.
If aligning with the original requirements costs too much effort I am ok with the approach here.
Any thought @strongloop/loopback-next ?
There was a problem hiding this comment.
Yes please, we should really remove userId argument from this controller method.
In the implementation proposed by this pull request, there are too many places where user id can be specified:
userIdas a path parameterorder.userIdfrom request bodycurrentUser.idfrom the authentication layer
| it('creates an order for a user with a given orderId', async () => { | ||
| const newUser = await userRepo.create(user); | ||
| const userId = newUser.id.toString(); | ||
| const order = givenAOrder({userId: userId, orderId: '1'}); |
| password: plainPassword, | ||
| }); | ||
|
|
||
| const order = givenAOrder({userId: userId}); |
There was a problem hiding this comment.
any reason not provide the orderId here?
There was a problem hiding this comment.
Ideally, I'd like the server to fill userId so that the clients making HTTP requests to create new orders don't have to. I.e. this test should pass with const order = givenAnOrder() too.
|
@austin047, there are a few review comments from the maintainers. Are you interested to continue to work on this PR? Thanks! |
|
Yes, I will work on it as soon as possible. |
austin047
force-pushed
the
user-order-authentication-with-jwt
branch
5 times, most recently
from
da2c61e to
4020dc2
Compare
Client can create an order without passing the userId in the body of the request, the serve collects the userId from the url and compares against the authenticated user(Current User) and the creates the order for that user. ✅ Closes: loopbackio#43 refactor: 💡 remove debug console logs Remove console logs created for debug purposes Signed-off-by: Fuh Austin <fuhaustin@gmail.com>
austin047
force-pushed
the
user-order-authentication-with-jwt
branch
from
4020dc2 to
55854d1
Compare
| @@ -35,13 +37,29 @@ export class UserOrderController { | |||
| }, | |||
| }, | |||
| }) | |||
| @authenticate('jwt') | |||
| async createOrder( | |||
| @param.path.string('userId') userId: string, | |||
There was a problem hiding this comment.
Let's remove the userId argument please, we should take the id from currentUser.
|
Hey @austin047 Are you interested in continuing work on this PR? I'll happily complete the work if you would prefer. Thanks. |
|
@jannyHou @hacksparrow should this PR be closed as inactive? |
|
@dougal83 Thank you for checking it, yes I think after refactoring the shopping app, all orders endpoints are secured in https://github.com/strongloop/loopback4-example-shopping/blob/master/packages/shopping/src/controllers/user-order.controller.ts To continue(or open a new PR), are you planning to remove the And really appreciate @austin047 's effort on updating it after auth was first added in this example. There are several breaking changes made since then. |
|
@jannyHou Probably easier to close this PR and start afresh from the current master. If you could create the story/issue with help wanted tag I'll pick it up when I have a moment unless someone beats me to it. Thank you. |
|
@dougal83 Thank you created story in #629 |
…e a new order
Updated the create order method that handles post request to create a user order to authenticate
against the current user before an order can be created, the client will have to pass the
authentication token in the request header which will be authenticated before the order is created
BREAKING CHANGE: For an order to be created the client must pass the authentication token in the
request header, otherwise a 401 Unauthorized error will be generated
feat #43