docs: update docs on authentication package

[emonddr]

Add a new section on loopback.io about AuthenticationComponent

Associated with : #2940

Checklist

👉 Read and sign the CLA (Contributor License Agreement) 👈

• npm test passes on your machine
• New tests added or existing tests modified to cover all changes
• Code conforms with the style guide
• API Documentation in code was updated
• Documentation in /docs/site was updated
• Affected artifact templates in packages/cli were updated
• Affected example projects in examples/* were updated

👉 Check out how to submit a PR 👈

[emonddr]

This is a work on progress and is not ready for review. Just saving my work for today.

[emonddr]

I've taken a first pass at explaining the authentication component's main pieces, and what a developer has to do for authentication. I haven't yet used any charts from our design document : https://github.com/strongloop/loopback-next/blob/master/packages/authentication/docs/authentication-system.md.

[dhmlau]

Looking good!
My review comments are more from the new user's perspective because I'm not familiar with what had been implemented. :)
Besides the review comments, I think it might be useful to have a diagram to show the relationship among the authentication component/strategy(and interface)/provider.

[dhmlau]

@bajtos suggested, at some point, that we should make the ts code snippet a valid one. so, my suggested change would be:

// ... 

instead of simply
...

[dhmlau]

Apologize that I'm not familiar with this feature. So the name has to be AuthenticationComponent? That means we cannot have more than one Authentication component?

[emonddr]

@dhmlau

Apologize that I'm not familiar with this feature. So the name has to be AuthenticationComponent? That means we cannot have more than one Authentication component?

So most of the logic of @loopback/authentication ( the authentication metadata provider, the authentication action provider, and the authentication strategy provider ) is available in a component named AuthenticationComponent, and must be loaded by an application.

The user needs to create and register their own custom authentication strategies (user can have many of these), and implement their own token service or user service etc, and create a custom sequence that places the authentication action in a specific place.

But the core authentication framework logic is stored in 1 component.

[emonddr]

@dhmlau ^^ :)

[dhmlau]

Suggested change (see if it makes sense to you):
See the complete example for basic authentication strategy and jwt authentication strategy

[dhmlau]

typo: They -> The

[dhmlau]

I think it's kind of understood and no need for this paragraph?

[emonddr]

@dhmlau

I think it's kind of understood and no need for this paragraph?

You are right. Sometimes I like writing for the lowest common denominator (somebody new to TypeScript). I will remove it.

[dhmlau]

nitpick: do you have some more realistic values that our users might want to use the options for?

[emonddr]

@dhmlau

nitpick: do you have some more realistic values that our users might want to use the options for?

Not really because we don't ship any authentication strategies at all ( just the interface). I could put a made up options object { useCookie: true} or {session:true} or { enforceLongPassword: true} but this would give them the wrong impression that our interface supports this kind of option. @jannyHou @raymondfeng , what are your thoughts on this?

[jannyHou]

I was also searching for some meaningful options for the basic auth in passport-http, but unfortunately didn't find any...like what Dom said, they are all related to the passport middleware instead of the strategy itself.

[dhmlau]

got it. maybe at least mention those options are specific to the strategy the user select?

[emonddr]

@jannyHou

I was also searching for some meaningful options for the basic auth in passport-http, but unfortunately didn't find any...like what Dom said, they are all related to the passport middleware instead of the strategy itself.

Actually, the focus of the discussion is not on passport stuff in this discussion. The @authenticate(strategyName, options?) decorator allows for passing in options. This gives the developer of custom authentication strategies a way to pass options in...if needed.

(Buy Janny is correct that the passport-based api have options they can pass in too...)

[raymondfeng]

We can use something as follows:

@authenticate('basic', { /* some options for the strategy */})

[dhmlau]

does it only applicable to LB4 application with REST server? I find it a bit strange to refer it as "LoopBack 4 REST application".

[emonddr]

@dhmlau , I see what you mean. A user can create a gRPC server I guess, and not a typical REST API server which uses HTTP requests. Are people using LoopBack for more than REST servers at the moment?

I will remove the word 'REST' in this instance.

[dhmlau]

i think they can, right? @raymondfeng

[jannyHou]

@dhmlau The default sequence mentioned here is for REST server only.

And please note that in the AuthenticationStrategy interface, the Request type is imported from @loopback/rest, see https://github.com/strongloop/loopback-next/blob/master/packages/authentication/src/types.ts#L7

So...just speak for myself :-p mentioning REST application is ok to me here.

Those services like UserService and TokenService are reusable for other clients, but the authentication component does target on the REST requests.

[raymondfeng]

The sequence so far only applies to RestServer. Maybe we can say In a LoopBack 4 application with REST API endpoints.

[jannyHou]

The documentation part looks perfect to me 🙂 I don't have anything else to add, just 2 tiny comments.

And for the diagram, the content looks good, a few suggestion:

• A more accurate type would be Promise<UserProfile>:

• nitpick: 'some' --> 'amodel' or 'somemodel'. Just a suggestion based on personally preferred naming conversion.

• Maybe re-organize the rectangles in a more sorted way?

[jannyHou]

Object --> object :)

[emonddr]

@jannyHou thanks for your feedback.

A more accurate type would be Promise

When creating this diagram, space is very limited, so I chose to avoid using stuff like:
this. and Promise< > to save space, and give a general idea of the logic. The documentation text in the sections below the diagram will show the correct code.

nitpick: 'some' --> 'amodel' or 'somemodel'. Just a suggestion based on personally preferred naming conversion.

The lb4 controller CLI creates controller files is this format: someName.controller.ts . And all the artifacts follow the same pattern. I think my filename is ok.

Maybe re-organize the rectangles in a more sorted way?

It took a long time to create the diagram and all its pieces and labels and move them into place, so I am reluctant to iteratively move all the PowerPoint shapes/labels/arrows around unless someone sends me a pencil and paper picture of a re-design.

[jannyHou]

When creating this diagram, space is very limited, so I chose to avoid using stuff like:
this. and Promise< > to save space

👍 Fair enough.

And the naming and diagram comments are just nitpicks 🙂 feel free to ignore.

[jannyHou]

It would be good if we can show a code example here. While I also realized we don't have an auth option sample yet, maybe use the greeter extension https://github.com/strongloop/loopback-next/tree/master/examples/greeter-extension#implement-an-extension ?

[emonddr]

@jannyHou ^^ ,

Can we point to a unit test that passes in options? https://github.com/strongloop/loopback-next/blob/master/packages/authentication/src/__tests__/unit/providers/auth-metadata.provider.unit.ts#L16

[jannyHou]

@emonddr Cool the unit test is much more relevant. Looks good to me.

[emonddr]

@jannyHou , I've changed my mind about pointing to the unit test. It doesn't really show global options being overridden by request options from the decorator. Perhaps after this PR lands, we can have a follow up PR to add a section about injecting global options into the strategy, and then the strategy checking for overriding options from the decorator and then overriding the global options. I have an example of this I can dig up from one of my workspaces. But I won't be able to prepare it nicely today for @raymondfeng to review.

[jannyHou]

@emonddr Sure it would be good to have an example and point to it. +1 for improving it in another PR.

[nabdelgadir]

Just some nitpicks but 👍. When you're linking to another docs on the website, if you use {file-name}.md, then, in vscode, it goes to the file instead of the website so that's why I recommend changing those (there are more of them in the file that I didn't comment on).

[nabdelgadir]

Nitpick: can you add a new line between the image and paragraph?

[dhmlau]

Thanks for adding the diagram. I was thinking of a more higher-level diagram to help users to understand the big picture first. :)
I was thinking something along the line of the diagram below (it's probably not reflecting what's actually happening, but just an illustration). Does it make sense?

[emonddr]

Perhaps we should have a whiteboard session and see how we can move between highlevel and lowlevel diagrams and when...

[dhmlau]

It's just a suggestion. Since I don't have much background on the detailed design, so a higher level diagram helps me better to understand. Maybe it's just personal preference.

[emonddr]

@dhmlau

The action provider isn't a composite part of the strategy provider, and the metadata provider can be used from anywhere (actually all of them are set up like this), so it is more accurate to have them separate from each other than contained in each other as in my diagram.

[emonddr]

@dhmlau @jannyHou how about this for a high level?

[emonddr]

1. wondering if I should show custom authentication strategies at all in this diagram and just leave it as extensions
2. wondering if I should specify the parameters of the decorator: strategyName:string, options?:object .

[emonddr]

actually this one is better

[raymondfeng]

Let's use a bullet list.

[raymondfeng]

Add some description for request, such as:

@param request - Express request object

[raymondfeng]

endpoint -> resource?

[raymondfeng]

verifying ... -> deciding if a user can perform an action on a protected resource?

[raymondfeng]

Maybe add links such as:

• https://en.wikipedia.org/wiki/Authentication
• https://en.wikipedia.org/wiki/Authorization

[raymondfeng]

Let's crop the diagram so that there is no blank area to the left:

[raymondfeng]

Terms like decorator/provider/extension point seem to be too low level here. We can say:

• Decorators to express authentication requirement on controller methods
• A provider to access method-level authentication metadata
• An action in the REST sequence to enforce authentication
• An extension point to discover all authentication strategies and handle the delegation

[emonddr]

Decorators

A decorator

[raymondfeng]

👍

[raymondfeng]

Maybe change the order as follows:

1. decorate (app developer)
2. add authentication action (app developer/cli)
3. create custom authentication strategy (extension developer)
4. register a custom authentication strategy (app developer)

[raymondfeng]

By default, ...

[dhmlau]

nitpick: I'm not quite sure if we need to bold the "example" word.. similar to a few incidents towards the end of the last section. It could be just personal preference.

[dhmlau]

LGTM. Thanks for addressing my comments. Please at least get approvals from @raymondfeng and ideally @jannyHou too on this. Thanks.

[raymondfeng]

Great details!

[b-admike]

Overall LGTM; I like how detailed the documentation is!

[b-admike]

can we show the import for registerAuthenticationStrategy here?

[nabdelgadir]

👍

[jannyHou]

💪 LGTM