docs: add guideline doc for authorize component

[samarpanB]

Add documentation specifying guidelines on creating an authorisation component

Related #538

Checklist

👉 Read and sign the CLA (Contributor License Agreement) 👈

• npm test passes on your machine
• New tests added or existing tests modified to cover all changes
• Code conforms with the style guide
• API Documentation in code was updated
• Documentation in /docs/site was updated
• Affected artifact templates in packages/cli were updated
• Affected example projects in examples/* were updated

👉 Check out how to submit a PR 👈

[bajtos]

Thank you @samarpanB for the contribution!

We are using US spelling (authorization, not authorisation) in our docs, could you please update your content accordingly?

Also some of the CI builds are failing, please check the errors and fix the problem.

I'll leave the review of the actual content to somebody more familiar with our Authentication/Authorization story. /cc @raymondfeng @jannyHou

[bajtos]

Merge branch 'master' into authorisation-component-guide

Please don't use git merge, use git rebase master instead. We use linear git history with no merge commits. By rebasing early and often, you will avoid possibly costly merge conflicts later.

[raymondfeng]

@samarpanB Your contribution just came in time! We're evaluating a few options - #2718.

Please also check out #2687. For authorization decisions, interceptors provide more metadata, which may make it more suitable for deciding if a request should be allowed for a given method. Please note authorization might be also needed for non-controller methods, such as repositories or service proxies.

[samarpanB]

Merge branch 'master' into authorisation-component-guide

Please don't use git merge, use git rebase master instead. We use linear git history with no merge commits. By rebasing early and often, you will avoid possibly costly merge conflicts later.

I'll clean up the commit history and fix as you mentioned.

[raymondfeng]

@samarpanB There are instructions in https://loopback.io/doc/en/lb4/submitting_a_pr.html to help you tidy up the PR.

[samarpanB]

@samarpanB Your contribution just came in time! We're evaluating a few options - #2718.

Please also check out #2687. For authorization decisions, interceptors provide more metadata, which may make it more suitable for deciding if a request should be allowed for a given method. Please note authorization might be also needed for non-controller methods, such as repositories or service proxies.

@raymondfeng I think the idea for this documentation was to describe a minimalist implementation of authorization as a separate component, as I have mentioned here. It could be a starter guide for those who are already working on a production ready application and need authorisation at controller methods level to begin with.

BTW, I like the idea of interceptors.

[samarpanB]

Fixed all issues. Please have a look. @bajtos @raymondfeng

[bajtos]

LGTM as far as I am concerned. I did not review the actual content, I'll leave that to @raymondfeng and possibly other members of @strongloop/loopback-maintainers.

[raymondfeng]

Can we describe userPermissions? Does it represent the granted permissions or mapped roles for the user?

[samarpanB]

Description added.

[raymondfeng]

If it's for permissions, @authorize('canCreate') is better.

[samarpanB]

Refer the way permission keys are defined. They are specific to entities. There can be a user who is allowed to create new roles but not to create a new user. We need to have that flexibility.

[samarpanB]

@raymondfeng updated with changes as per your queries and feedback. Please have a look.

[raymondfeng]

Let's use camel case, such as isAllowed or allowed.

Maybe it's better to use enum values, such as allow | deny.

[samarpanB]

renamed to allowed. I would prefer boolean over enum as it avoid any possibility of 3rd value which I intend here.

[raymondfeng]

@samarpanB Great writeup! I added a few more minor comments.

[raymondfeng]

@samarpanB Please squash all commits into one so that we can land it. Thanks! See https://loopback.io/doc/en/lb4/submitting_a_pr.html

[samarpanB]

@raymondfeng done. Thanks !

[samarpanB]

@raymondfeng it seems CI build is failing due to reasons outside of this PR. I can see below in error log. Do I need to check and fix ?

1. CalculatorService
   adds two numbers:
   Error: Timeout of 2000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves. (/home/travis/build/strongloop/loopback-next/examples/soap-calculator/dist/tests/integration/services/calculator.service.integration.js)

2. CalculatorService
   multiplies two numbers:
   Error: Timeout of 2000ms exceeded. For async tests and hooks, ensure "done()" is called; if returning a Promise, ensure it resolves. (/home/travis/build/strongloop/loopback-next/examples/soap-calculator/dist/tests/integration/services/calculator.service.integration.js)

[raymondfeng]

it seems CI build is failing due to reasons outside of this PR. I can see below in error log. Do I need to check and fix ?

No, we host the test server in cloud and sometime it takes longer to wake up and causes timeout.

[nabdelgadir]

@samarpanB I restarted it so it's passing now.

[raymondfeng]

@samarpanB PR landed 👍 Thanks!

[raymondfeng]

@samarpanB Can you describe AuthResponse type? See #2896

[samarpanB]

Done. Just didn't want to add authentication stuff to authorization doc. hence, skipped this.