I need know some of the security authentication and authorization

[emazzu]

@marioestradarosa
Hi people, I'm delayed here without knowing how to continue.

here, there is a tutorial for security, but, I dont know, if the lb3 built in models (user, role, role mapping, acl, access token), migrated to loopback 4 or not ???
lb4
https://loopback.io/doc/en/lb4/Authentication-tutorial.html

lb3
https://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html

[marioestradarosa]

Hi @emazzu , I never used lb3 , but have implemented a couple of business applications with loopback 4 framework against relational databases and have used the @loopback/authentication and @loopback/authorization packages along with a customized extension for @loopback/authentication-jwt.

To put it simple, I use a JWT token for reach request that I need to secure. Inside the JWT token, I encrypt (yes, I encrypt it :- , not to get confused with singing the JWT token with a key) my payload because I use it sometimes I need to check certain things, for example, if the user is doing a transfer, I check if the payload contains one of the accountFrom and things like that.

Only in on project I had to use @loopback/authorization which was an online banking system, because there are roles like owner, assistant , authorizer etc. and yes, I guessed it, I send the token with that information but the token's payload is encrypted so nobody will view it and also it has a time expiration according to the session time I specify.

We customize usually the authentication method because whenever the user sends his username/password we don't really go to query a database all the time, in some cases we need to call a third party web service and the password can have a the user's password or a token generated thru some other means, so it is complex. We have to check if the user is not deactivated, if the user does not have questions and answers setup already and exceeded the limits or the user needs to change his/her password, so very complex, but we put that business logic in the authentication which is our strategy, and of course we override also the token generation method since we but our own payload (encrytped) but try to follow the UserProfile from @loopback/security but in our case it is extended to contain more information (ie: accounts, or user role or anything else).

So, subsequent calls @loopback/authentication makes my life easier since it extract the userProfile and leave it in the request context so I can grab it from there and make another kind of validations. I of course need to implement the authorizer method from @loopback/authorization component, but this component provides me of the decorator to @authorize also. Sometimes you don't need this component unless you have roles for your users.

What is your use case scenario, maybe I can give you some hints.