⚠️ This LoopBack 3 example project is no longer maintained. Please refer to LoopBack 4 Examples instead. ⚠️
$ git clone https://github.com/strongloop/loopback-example-access-control
$ cd loopback-example-access-control
$ npm install
$ node .
In this example, we create "Startkicker" (a basic Kickstarter-like application) to demonstrate authentication and authorization mechanisms in LoopBack. The application consists of four types of users:
guest
owner
team member
administrator
Each user type has permission to perform tasks based on their role and the application's ACL (access control list) entries.
loopback-example-access-control
loopback-example-access-control
$ lb app loopback-example-access-control
... # follow the prompts
$ cd loopback-example-access-control
user
db (memory)
User
No
team
db (memory)
PersistedModel
No
ownerId
memberId
project
db (memory)
PersistedModel
Yes
name
balance
No properties are required for the
user
model because we inherit them from the built-inUser
model by specifying it as the base class.
$ lb model user
... # follow the prompts, repeat for `team` and `project`
Define three remote methods in project.js
:
user
project
projects
ownerId
team
teams
ownerId
team
user
members
memberId
project
user
user
ownerId
Create a boot script named sample-models.js
.
This script does the following:
John
, Jane
, and
Bob
)John
as the owner, and adds John
and Jane
as team
membersJane
as the owner and solo team
memberadmin
and adds a role mapping to make Bob
an
admin
LoopBack comes preconfigured with EJS out-of-box. This means we can use server-side templating by simply setting the proper view engine and a directory to store the views.
Create a views
directory to store server-side templates.
$ mkdir server/views
Create index.ejs
in the views directory.
Configure server.js
to use server-side
templating. Remember to import the path
package.
Create routes.js
. This script does the following:
GET /
route to render index.ejs
GET /projects
route to render projects.ejs
POST /projects
route to to render projects.ejs
when credentials are valid and renders index.ejs
when credentials are invalidGET /logout
route to log the user outWhen you log in sucessfully,
projects.html
is rendered with the authenticated user's access token embedded into each link.
Create the views
directory to store views.
In this directory, create index.ejs
and projects.ejs
.
Create role-resolver.js
.
This file checks if the context relates to the project model and if the request maps to a user. If these two requirements are not met, the request is denied. Otherwise, we check to see if the user is a team member and process the request accordingly.
ACLs are used to restrict access to application REST endpoints.
(all existing models)
All methods and properties
All (match all types)
All users
Explicitly deny access
GET /api/projects/listProjects
project
A single method
listProjects
All users
Explicitly grant access
GET /api/projects
project
A single method
find
other
admin
Explicitly grant access
GET /api/projects/:id
project
A single method
findById
other
teamMember
Explicitly grant access
POST /api/projects/donate
project
A single method
donate
Any authenticated user
Explicitly grant access
POST /api/projects/withdraw
project
A single method
withdraw
The user owning the object
Explicitly grant access
$ lb acl
# follow the prompts, repeat for each ACL listed above
Start the server (node .
) and open localhost:3000
in your browser to view the app. You will see logins and explanations related to each user type we created:
Guest
Project owner
Project team member
Administrator