Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorizer triggers twice #4351

Closed
rajkaran opened this issue Dec 30, 2019 · 0 comments · Fixed by #4535
Closed

Authorizer triggers twice #4351

rajkaran opened this issue Dec 30, 2019 · 0 comments · Fixed by #4535
Assignees
@deepakrkris
Labels
bug
Milestone
Jan 2020

Comments

@rajkaran
Copy link

rajkaran commented Dec 30, 2019
edited
Loading

I have created a basic authorizer by following offical documentation and loopback4-example-shopping.

I have found that every time I hits api end point, consol.log in cutom authorizer provider triggers twice.

Steps to reproduce

below is my code.

role-based-authorizer.service.ts

import {bind, /* inject, */ BindingScope, Provider} from '@loopback/core';
import { Authorizer, AuthorizationContext, AuthorizationMetadata,
AuthorizationRequest, AuthorizationDecision} from '@loopback/authorization';

@bind({scope: BindingScope.TRANSIENT})
export class RoleBasedAuthorizerProvider implements Provider<Authorizer> {
    constructor(/* Add @inject to inject parameters */) {}

    value(): Authorizer {
        return this.authorize.bind(this);
    }

    async authorize( context: AuthorizationContext,
    metadata: AuthorizationMetadata ) {

        // console.log('RoleBasedAuthorizerProvider context', context)
        console.log('RoleBasedAuthorizerProvider metadata', metadata)
        if (
            context.resource === 'UserController.prototype.findById' &&
            context.principals[0].name === 'user-01'
        ) {
            return AuthorizationDecision.DENY;
        }

        return AuthorizationDecision.ALLOW;
    }
}

end point in user.controller

@get('/users/{id}', {
        security: OPERATION_SECURITY_SPEC,
        responses: {
            '200': {
                description: 'User model instance',
                content: {
                    'application/json': {
                        schema: getModelSchemaRef(User, {
                            includeRelations: true
                        }),
                    },
                },
            },
        },
    })
    @authenticate('jwt')
    @authorize({ resource: 'user', scopes: ['fetch'], allowedRoles: ['admin'], voters: [compareId] })
    async findById(
        @param.path.string('id') id: string,
        @param.query.object('filter', getFilterSchemaFor(User)) filter ? : Filter < User >
    ): Promise < User > {
        let user = await this.userRepository.findById(id, filter);
        delete user.password;
        return user;
    }

registering in application.ts

this.component(AuthorizationComponent);
this.bind('authorizationProviders.rolebased-provider')
            .toProvider(RoleBasedAuthorizerProvider)
            .tag(AuthorizationTags.AUTHORIZER);

Current Behavior

sees console.log printed twice

RoleBasedAuthorizerProvider metadata {
  resource: 'user',
  scopes: [ 'fetch' ],
  allowedRoles: [ 'admin' ],
  voters: [ [AsyncFunction: compareId] ]
}
RoleBasedAuthorizerProvider metadata {
  resource: 'user',
  scopes: [ 'fetch' ],
  allowedRoles: [ 'admin' ],
  voters: [ [AsyncFunction: compareId] ]
}

Expected Behavior

Should be printed only once. I am planning to make a query within authorizer. If I go ahead with current behaviour then I will see two database queries instead of a single one.

Is there a way to prevent this?
@rajkaran rajkaran added the bug label Dec 30, 2019
@deepakrkris deepakrkris self-assigned this Jan 9, 2020
@bajtos bajtos mentioned this issue Jan 21, 2020
Closed
7 tasks
raymondfeng added a commit that referenced this issue Jan 29, 2020
@raymondfeng
fix(authorization): make sure an authorizer is only invoked once per …
9741fed 
…request

Fixes #4351
@raymondfeng raymondfeng mentioned this issue Jan 29, 2020
Merged
7 tasks
raymondfeng added a commit that referenced this issue Jan 29, 2020
@raymondfeng
fix(authorization): make sure an authorizer is only invoked once per …
b29bbeb 
…request

Fixes #4351
@dhmlau dhmlau added this to the Jan 2020 milestone Jan 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@deepakrkris deepakrkris

Labels
bug
Projects
None yet
Milestone
Jan 2020
3 participants
@rajkaran @deepakrkris @dhmlau