loopback 4 interceptor with metadata Similar to authorize

[rajkaran]

I want to restrict API access with an access-key how most of the APIs provide read access to anonymous users. In my use case my frontend isn't guarded with JWT or any token. I won't to prevent any random person post to my API.

I want to give my frontend read access to come endpoint while write access to other. besides frontend I will have other API connecting to my API with different access key which allows read to some end points and write to other.

I have asked this on StackOverflow https://stackoverflow.com/questions/75151068/loopback-4-interceptor-with-metadata-similar-to-authorize.

I want to add some metadata while calling interceptor something like @intercept('interceptors.accessKey', {metadata: { resource: 'Device', scopes: ['read'] }}).

I know Loopback 4 provides special interceptor @authorize but I don't believe I can use it without @authenticate('jwt'). My use case do not have room for authentication. How can I achieve this?

[raymondfeng]

Did you check out https://loopback.io/doc/en/lb4/Implement-your-own-strategy.html?

[rajkaran]

I can try to create an a custom authentication strategy. Another question I have is can I put 2 authentication on one end point?

What if in future requirement comes to implement jwt authentication will I be able to maintain both?

[raymondfeng]

You can have multiple authentication strategies for the same endpoint.

[rajkaran]

By creating custom authentication strategy I can only extract information from the Request.

In example https://loopback.io/doc/en/lb4/Implement-your-own-strategy.html#registering-a-custom-authentication-strategy. I can see metadata is injected in the AuthenticationStrategyProvider but how would I submit that metadata from controller.

Can I do @authenticate('accessKey', {metadata: { resource: 'Device', scopes: ['read'] }})

[rajkaran]

@raymondfeng
I am following code examples provided on https://loopback.io/doc/en/lb4/Authentication-component-options.html page.

In my controller, I am calling authenticate() function with options as @authenticate({strategy: 'accesskey', options: {permission: 'read'}}). I also tried to use @authenticate('accesskey',{permission: 'read'}) as it is suggested on this page but it isn't working for me. Eventually, I am going to have multiple authentications so I am preferring the first option.

For some reason const controllerMethodAuthenticationMetadata: any = await this.getMetaData(); line of code in the code example is giving me an array. due to which I can't access options like controllerMethodAuthenticationMetadata.options. The return I am getting is [ { strategy: 'accesskey', options: { permission: 'read' } } ].

• Is the code example wrong or I am making a mistake?
• How can I access options from this array? Typescript is complaining about datatype.
• On this page I have found app.configure(AuthenticationBindings.COMPONENT).to({failOnError: true}); line of code. Where will I add it, in application file?