Explorer blocked by the authentication module

[frbuceta]

Steps to reproduce

The explorer seems to require authentication when it is set:

// Customize @loopback/authentication configuration here
this.configure(AuthenticationBindings.COMPONENT).to({
  defaultMetadata: {
    strategy: 'JWTStrategy'
  }
})
this.component(AuthenticationComponent);
registerAuthenticationStrategy(this, JWTAuthenticationStrategy)

Expected Behavior

Should be set on all controllers, only controllers

Additional information

➜  xxxxxx-monitor-api git:(master) ✗   node -e 'console.log(process.platform, process.arch, process.versions.node)'
  npm ls --prod --depth 0 | grep loopbackdarwin x64 14.4.0
➜  xxxxxx-monitor-api git:(master) ✗   npm ls --prod --depth 0 | grep loopback
├── @loopback/authentication@4.2.7
├── @loopback/boot@2.3.3
├── @loopback/context@3.9.0
├── @loopback/core@2.8.0
├── @loopback/openapi-v3@3.4.3
├── @loopback/repository@2.7.0
├── @loopback/rest@5.1.1
├── @loopback/rest-explorer@2.2.4
├── @loopback/service-proxy@2.3.2
├── loopback-connector-mssql@3.8.0
➜  xxxxxx-monitor-api git:(master) ✗ 

Related Issues

#4782 (comment)

See Reporting Issues for more tips on writing good issues

[frbuceta]

If someone confirms that this should be the case when I have time, I will look for the error

[jannyHou]

Thanks @frbuceta I tried with jwt-todo example, confirmed explorer throws 401.

Should be set on all controllers, only controllers
Hmm, I have a different opinion on the expected behavior. Not only the controller routes goes through the sequence, there are more ways of defining routes, see declaring rest routes.

Instead of adding controller routes to whitelist, we can consider make a blacklist: explorer and spec endpoints like /openapi.json, /openapi.yaml should be in the list. WDYT?

Like

this.configure(AuthenticationBindings.COMPONENT).to({
      defaultMetadata: {
        strategy: 'JWTStrategy',
        // or a better property name
        exceptions: ['/explorer', '/openapi.json', '/openapi.yaml']
    }
})

[frbuceta]

Thanks @frbuceta I tried with jwt-todo example, confirmed explorer throws 401.

Should be set on all controllers, only controllers
Hmm, I have a different opinion on the expected behavior. Not only the controller routes goes through the sequence, there are more ways of defining routes, see declaring rest routes.

Instead of adding controller routes to whitelist, we can consider make a blacklist: explorer and spec endpoints like /openapi.json, /openapi.yaml should be in the list. WDYT?

Like

this.configure(AuthenticationBindings.COMPONENT).to({
      defaultMetadata: {
        strategy: 'JWTStrategy',
        // or a better property name
        exceptions: ['/explorer', '/openapi.json', '/openapi.yaml']
    }
})

I think it's a good idea but with extensions you can make that list very long. For example, the Health extension could be another case of exception

[raymondfeng]

The src/sequence.ts in todo-jwt needs to be updated per https://github.com/strongloop/loopback-next/blob/master/packages/cli/generators/app/templates/src/sequence.ts.ejs. It should call InvokeMiddleware action first and return if the finished is true.

[raymondfeng]

@jannyHou We need to fix all src/sequence.ts in all examples.

[raymondfeng]

It should be fixed by #5807

[jannyHou]

@raymondfeng This issue is actually a feature I would say, not a bug.

The explorer is not blocked by default, but after re-configure the authentication component using

this.configure(AuthenticationBindings.COMPONENT).to({
  defaultMetadata: {
    // please note this line enables jwt strategy for ALL endpoints, instead of the decorated ones
    strategy: 'JWTStrategy'
  }
})
this.component(AuthenticationComponent);
registerAuthenticationStrategy(this, JWTAuthenticationStrategy)

Your PR to update the templates is valid, but this story is not quite relevant. It's about skipping endpoints like explorer when apply a default strategy to entire app.

[raymondfeng]

@jannyHou The explorer endpoints are served by openApiSpec middleware. It's a not from a controller.

[jannyHou]

@raymondfeng IIUC, the config as:

this.configure(AuthenticationBindings.COMPONENT).to({
  defaultMetadata: {
    // please note this line enables jwt strategy for ALL endpoints, instead of the decorated ones
    strategy: 'JWTStrategy'
  }
})

will apply to all endpoints including the ones served by openApiSpec middleware, wouldn't it?

[mrbatista]

@raymondfeng #5807 Not resolve the issue.