[LABS] feat: adapter that wraps strategy

[jannyHou]

Connect to #2311

This PR contains 2 potential solutions(you will find TWO adapter files in src + TWO unit tests + TWO acceptance tests) for converting the passport based strategies to the one defined in @loopback/authentication:

• wrap the passport strategy, like BasicStrategy in passport-http: the 1st commit
• is supposed to to wrap the passport middleware, but due to the type error I explained in 561f6b5#diff-fb7bcb47eeb0d22961f9f511534a7db6R76, it still takes in a strategy in the constructor
  • so my code is more like a PoC that proves invoking passport.authenticate() works
  • if we could solve the type error, I can quickly turn it into the expected adapter
  • if the type error cannot be solved then we have to wrap the strategy not the middleware

Let's discuss which one do we want and discard the unwanted one. If both are good, I will extract one of them to a new package.

---

Update:

We decided to take the simple approach: wrapping the strategy, so please ignore the 2nd proposal above ^

Checklist

👉 Read and sign the CLA (Contributor License Agreement) 👈

• npm test passes on your machine
• New tests added or existing tests modified to cover all changes
• Code conforms with the style guide
• API Documentation in code was updated
• Documentation in /docs/site was updated
• Affected artifact templates in packages/cli were updated
• Affected example projects in examples/* were updated

👉 Check out how to submit a PR 👈

[raymondfeng]

Why do we need to wrap it into process.nextTick()? The users.find is already async.

[raymondfeng]

The code does not follow prettier formatting style.

[raymondfeng]

What about the following idea?

1. Have one PassportAuthenticationStrategy provider to be registered with LB4 authentication strategies extension point.

2. The PassportAuthenticationStrategy supports passport:<name>

3. Inside PassportAuthenticationStrategy, we expose another extension point to register all passport strategies (for example, with a tag passport.strategy).

   • Creates one instance of passport
   • Discovers all passport strategy extensions
   • Calls passport.use() to register all passport strategies

[jannyHou]

@raymondfeng Having 2 extensions kind of falls back to the initial implementation in the draft PR #2822 (which unfortunately was squashed and cannot be recovered...)

The reason why I wrapped the passport strategy directly to a common implementation of AuthenticationStrategy is explained in `dbc51ce#r280376757

[jannyHou]

And I am able to perform an authentication by invoking passport.authenticate(), but not quite sure about the benefit of doing it (compared with invoking strategy.authenticate()), and describing the type of a passport instance is very problematic, see explanation
By saying that I didn't mean we have to define the passport in any function's parameter, but in case we have to do that, we need figure out a solution for the type issue.

[raymondfeng]

Would it be better to name the package as authentication-passport?

[bajtos]

+1 to use authentication-passport

[raymondfeng]

Change the module name here.

[raymondfeng]

Maybe we should have a sugar method such as usePassportStrategy() here.

[jannyHou]

Yes we have it in https://github.com/strongloop/loopback-next/blob/master/packages/authentication/src/types.ts#L66
(my code was copied from the out of date draft.)

[raymondfeng]

Another option is to use StrategyAdapter as the base class.

[jannyHou]

@raymondfeng Hmm is there a big difference between using the provider or using a class that extends StrategyAdapter?

[bajtos]

Where is VERIFY constant defined?

[jannyHou]

oops...

[bajtos]

I find this as not very elegant. Can we find a way how to simplify this registration step? For example, can we leverage @extension or @bind decorators to specify the extension point name in the code where we are defining PassportBasicAuthProvider.

@raymondfeng you are the author of addExtension and the extension-point/extension implementation. What is the recommended way for registering extensions? Are we missing any new helpers in @loopback/core to simplify this process?

[jannyHou]

My code is out of date we do have that sugar function :)

#3056 (comment)

[raymondfeng]

It should be 2019.

[raymondfeng]

Can we update the base branch with this change first?

[jannyHou]

good catch! updated in #3150

[raymondfeng]

We strongly recommend that users ...

[jannyHou]

And I updated the link as well since #2977 get merged

[raymondfeng]

base -> based

[raymondfeng]

@loopback/authentication-passport

[jannyHou]

local tests pass

 [email protected] mocha /Users/jannyhou/2019/auth/adapter/loopback-next
> node packages/build/bin/run-mocha "labs/*/dist/__tests__/**/*.js"



  ․․․․․․․

  7 passing (90ms)


> [email protected] posttest /Users/jannyhou/2019/auth/adapter/loopback-next
> npm run lint


> [email protected] lint /Users/jannyhou/2019/auth/adapter/loopback-next
> npm run prettier:check && npm run eslint && node bin/check-package-locks


> [email protected] prettier:check /Users/jannyhou/2019/auth/adapter/loopback-next
> npm run prettier:cli -- -l


> [email protected] prettier:cli /Users/jannyhou/2019/auth/adapter/loopback-next
> node packages/build/bin/run-prettier "labs/**/*.ts" "labs/**/*.js" "labs/**/*.md" "-l"


> [email protected] eslint /Users/jannyhou/2019/auth/adapter/loopback-next
> node packages/build/bin/run-eslint --report-unused-disable-directives --cache .

[raymondfeng]

Simple Usage or Basic Use

[emonddr]

@jannyHou

Created an instance of the passport strategy

Create an instance of the passport strategy

[emonddr]

@jannyHou

Take the basic strategy exported from passport-http as an example, first create an instance of the basic strategy with your verify function

Taking the basic strategy exported from passport-http as an example, first create an instance of the basic strategy with your verify function

[jannyHou]

For reviewers: the decreased code coverage is complaining about the packages/* modules, so I guess the coverage check script on branch labs/base need to be fixed, I am going to submit a PR for it.

see report in https://coveralls.io/builds/24001707

[emonddr]

Please see two comments I added today, June 14 outside this review.

[emonddr]

But don't provide any passport specific options since we don't support the session manager.

Can you give an example of what you mean here? And what happens if that passport strategy requires a session manager? Will it not work?

[jannyHou]

I doubled checked the usage of passport-http, and realize the passport specific options are only provided when the strategy is invoked by passport.authenticate(), like https://github.com/jaredhanson/passport-http#authenticate-requests.
So, since we don't involve passport in this PR, we don't introduce that concern either. I will remove "But don't provide any passport specific options since we don't support the session manager."

[emonddr]

// So that you will decorate the APIs later with the same name.

// You will need to decorate the APIs later with the same name

[emonddr]

.bind('authentication.strategies.basicAuthStrategy')

Is there a constant that can be used from @authenticate to form the first two segments of this string?

[emonddr]

e.g. https://github.com/strongloop/loopback-next/blob/master/packages/authentication/src/keys.ts#L108

[emonddr]

I guess the class name of the strategy here

https://github.com/strongloop/loopback-next/blob/master/packages/authentication/src/types.ts#L65

is appended as the last segment of the string?

[jannyHou]

@emonddr The key itself could be any name, it is the tag that makes the strategy recognized by the extension point, and the name property defined in the strategy class that needs to match the name in decorator @authenticate('basic')

I don't have a strong opinion on using a string or leveraging the constant in https://github.com/strongloop/loopback-next/blob/master/packages/authentication/src/keys.ts#L108, I would respect your preference.

[emonddr]

If you need to inject stuff (e.g. the verify function) when configure the
strategy, you may want to provide your strategy as a provider.

If you need to inject stuff (e.g. the verify function) when configuring the
strategy, you may want to supply your strategy as a provider.

[emonddr]

Note: If you are not familiar with LoopBack provider, check the documentations
in

Note: If you are not familiar with LoopBack providerS, check the documentation
in

[emonddr]

// So that you will decorate the APIs later with the same name

// You will decorate the APIs later with the same name

[b-admike]

Got some comments, but looks good to me overall 👍

[b-admike]

nitpick: would it help to show the import statement here?

[b-admike]

this.configuredBasicStrategy(verify); -> this.configuredBasicStrategy(verifyFn);

[jannyHou]

verifyFn is a type, verify is the real function.

[b-admike]

Oh...where do we get verify from? I thought we are passing the injected variable here https://github.com/strongloop/loopback-next/pull/3056/files#diff-ac3170e38ad0d9561109e8d873e5e467R122. I thought verifyFn is the function and BasicVerifyFunction is the type.

[b-admike]

can we show where AUTH_STRATEGY_NAME is declared or imported?

[b-admike]

Can we include registerAuthenticationStrategy and PassportBasicAuthProvider imports at the top for this line?

[b-admike]

LGTM 👍

[b-admike]

nitpick: REVIWERS -> REVIEWERS

[jannyHou]

oh..another good catch, that comment should be moved too!