Open Kenny477 opened 2 years ago
https://medium.com/@khlilturki97/loopback-4-jwt-authentication-acl-724c9cdb8e8b
See this. Also look into middleware for httpOnly cookies. We shouldn't have to set cookies client side and instead use the Set-Cookie header on the response when using the login route. These cookies should be httpOnly to prevent XSS and then we need to create middleware to set the Authorization header Bearer token when we need to make an authenticated request.
For future reference though when we need to go over security.
Some other resources
Add role-based access control to our backend API endpoints. Some options mentioned in the Loopback 4 migration docs are Casbin (documented) and OAuth2.0 (not documented). The Casbin documentation is not complete and won't automatically add new policies when users are created.
See https://loopback.io/doc/en/lb4/migration-auth-overview.html and https://loopback.io/doc/en/lb4/migration-auth-access-control-example.html for more information.
I think for now the simplest way is to introduce a new layer to our backend that intercepts requests, then checks the user's role against a list of roles that we specify can access each endpoint, and also whether or not the user needs to be the owner of the resource.
I will also look for other more established alternatives that we can potentially implemented.