loopback.getCurrentContext() is null when setting the accessToken from a cookie.

[julien-sarazin]

I had to dig into the sources to understand why the accessToken was available from req.signedCookies but not set on the current context, even after adding :

app.use(loopback.token({
        model: app.models.AuthToken
}));

And i came to this (middleware/token.js)

 TokenModel.findForRequest(req, options, function(err, token) {
      req.accessToken = token || null;
      rewriteUserLiteral(req, currentUserLiteral);
      var ctx = loopback.getCurrentContext();
      if (ctx) ctx.set('accessToken', token);
      next(err);
    });

The token is properly fetched but the context is always null.

I tried to understand the context creation flow and it seems that you initialize the context during the routes:loopback#rest which is (i think) too late for those who we need to bind something to the context before the route execution.

I'm pretty new to loopback so i might have missed something.
EDIT: Still looking for a solution to make the accessToken available from the context. Thanks.

[julien-sarazin]

I've found a hacky solution that fit with my needs for now but doesn't work with ACL. :
1 - enabling HTTP in context in config.json

"remoting": {
    "context": {
      "enableHttpContext": true
    }
}

2 - using the ctx.http.req.accessToken

    Coder.current = function(cb){
        var context = loopback.getCurrentContext().active;
        return Coder.findById(context.http.req.accessToken.coderId)
    };

3 - ACL restrictions does not work (401 even when i'm authenticated)

    {
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "current",
      "accessType": "EXECUTE"
    }

My question: It is possible to combine Passport + Built-in ACL ? If so, can someone tells me how, cause it's driving me crazy.

Thanks!

[barboni]

👍

[julien-sarazin]

Found the solution to get the accessToken from the currentContext, from the cookie.
Force the context creation in the middleware.json file

  "session": {},
  "session:after":{
    "loopback#context": {}
  },
  "auth": {},
  "parse": {},
  "routes": {
    "loopback#rest": {
      "paths": [
        "${restApiRoot}"
      ]
    }
  }

And set the custom AccessToken model (AuthToken for me) after the boot

app.use(loopback.token({model: app.models.AuthToken}));

i'm still having an issue with ACL that does not work. But i'll open another issue.

[julien-sarazin]

Last message, fixed the problem with ACL, the relation between my custom User model (Coder) had a foreign key with my custom AccessToken (AuthToken) named coderId. Built-in ACL won't work if the key is different from userId.

[davidcheung]

Possibly related : #1676

[davidcheung]

Last message, fixed the problem with ACL, the relation between my custom User model (Coder) had a foreign key with my custom AccessToken (AuthToken) named coderId. Built-in ACL won't work if the key is different from userId.

Going to keep discussion on #1676 and close this issue, thanks.