search

strongloop / loopback-component-storage

Storage component for LoopBack.
Other
130 stars 155 forks source link

Can't seem to set accessScopes for download method... #283

Closed limitlis closed 4 years ago

limitlis commented 5 years ago

I've created the Model and set some ACLs, but when I try and set a specific accessScopes it doesn't look like its doing anything Granted I'm new to scopes, but I tried looking all around and asking at the suggested place before posting here.

As outlined here: https://loopback.io/doc/en/lb3/Model-definition-JSON-file.html#remote-method-options

"methods": {
    "download": {
      "accessScopes": ["read:media"]
    }
  }

but requesting results in: 

  loopback:security:access-context --Context scopes of Artifact.download()-- +0ms
  loopback:security:access-context   method-level: ["DEFAULT"] +1ms
  loopback:security:acl --Denied by scope config-- +0ms
  loopback:security:acl Scopes allowed: List [ 'read:media' ] +0ms
  loopback:security:access-context --Context scopes of Artifact.download()-- +2ms
  loopback:security:access-context   method-level: ["DEFAULT"] +0ms
  loopback:security:acl Scope required: [ 'DEFAULT' ] +0ms
  loopback:security:access-context ---AccessContext--- +0ms
  loopback:security:access-context principals: +0ms
  loopback:security:access-context principal: {"type":"USER","id":"1"} +0ms
  loopback:security:access-context modelName Artifact +0ms
  loopback:security:access-context modelId undefined +0ms
  loopback:security:access-context property download +1ms
  loopback:security:access-context method download +0ms
  loopback:security:access-context accessType READ +0ms
  loopback:security:access-context --Context scopes of Artifact.download()-- +0ms
  loopback:security:access-context   method-level: ["DEFAULT"] +0ms
  loopback:security:access-context accessScopes ["DEFAULT"] +0ms
  loopback:security:access-context accessToken: +0ms
  loopback:security:access-context   id "0M95Y5ri5FahkoYEcGmE4l3aEtsHKEiXYVE2PXghqDBdBJxE2J8PDuuY0Jkawykf" +0ms
  loopback:security:access-context   ttl 604800 +0ms
  loopback:security:access-context   scopes ["read:media"] +0ms
  loopback:security:access-context getUserId() 1 +0ms
  loopback:security:access-context isAuthenticated() true +1ms

If i use a token without custom scopes then it works fine, but i'm trying to lock image fetching down by using these temporary limited-scope access tokens.

Is this not supported... Or am I missing something?

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 4 years ago

This issue has been closed due to continued inactivity. Thank you for your understanding. If you believe this to be in error, please contact one of the code owners, listed in the CODEOWNERS file at the top-level of this repository.