feat: extract local credentials into a new model

[bajtos]

Introduce UserCredentials models to hold hashed passwords, add has-one relation from User to UserCredentials.

Rework authentication-related code to work with the new domain model.

See loopbackio/loopback-next#1996 for additional information.

I have to say the code in the example app is a bit messy. Some things are (unnecessarily) duplicated in multiple places, therefore my pull request had to touch quite few files to update all duplications. Considering our current priorities, I am leaving refactoring & cleanup out of scope of my PR.

[emonddr]

Great stuff. Just a few comments and questions. :)

[jannyHou]

@bajtos Thank you very much for creating the PR 👍 mostly LGTM, left a few comment.

[jannyHou]

Hmm, why do we need an extra userId when id is already defined?

[bajtos]

• id is the primary key of UserCredentials model
• userId is a foreign key referencing id of the user these credentials belong to

This is the classic HasOne/BelongsTo setup we use everywhere else in LB4.

It is possible to use User's id as the primary key of UserCredentials too, but we don't have first-class support for that in LoopBack yet.

Also note that depending on the password policy, we may want to store historical credentials and thus have more than on UserCredentials instance for a single user. Think of a password policy "the new value must be different than the last 3 values used".

[bajtos]

@emonddr @jannyHou thank you for thoughtful comments. I have addressed some of them in 24ff52c and posted comments where I think no action is needed.

PTAL, LGTY now?

It makes me wonder, is there anything else we need to update as part of this change? E.g. documentation?

[emonddr]

@emonddr @jannyHou thank you for thoughtful comments. I have addressed some of them in 24ff52c and posted comments where I think no action is needed.

PTAL, LGTY now?

It makes me wonder, is there anything else we need to update as part of this change? E.g. documentation?

Please look at https://loopback.io/doc/en/lb4/Authentication-Tutorial.html , and double-check that any code examples shown or instructions to post or get a user match what you now have.

The Try it out section , https://loopback.io/doc/en/lb4/Authentication-Tutorial.html#try-it-out passes an id of "1" in the POST /users . This doesn't work in your PR now, please make sure a user is able to POST /users where id value is specified, and where id is not specified but autogenerated by mongo db.

[emonddr]

Adding a user with id specified fails. Please fix. thx. See my comment.

[bajtos]

The Try it out section , https://loopback.io/doc/en/lb4/Authentication-Tutorial.html#try-it-out passes an id of "1" in the POST /users . This doesn't work in your PR now, please make sure a user is able to POST /users where id value is specified, and where id is not specified but autogenerated by mongo db.

I find it very annoying that the documentation is depending on behavior that's not covered by automated tests :-/

I'll take a look and add the missing test.

[bajtos]

Thank you @emonddr for the pointers for documentation which I should check, this was very helpful 🙇

[jannyHou]

@bajtos Thank you,

It makes me wonder, is there anything else we need to update as part of this change? E.g. documentation?

You probably want to explain the UserCredential is separated from User as a single model in https://github.com/strongloop/loopback4-example-shopping#models

[bajtos]

Thank you all again for your feedback. I see the following major areas to improve:

• Ensure we can provide a custom id when creating a new user, update docs and tests accordingly
• Update "Authentication tutorial" to match the new example app

Here is what I did:

• I followed all steps in Try it out
• In Update Authentication Tutorial with UserCredentials  loopback-next#4201, I changed the example data in "Try it out" section to use a valid ObjectID value instead of 1
• In this pull request (e27afa7), I added a new test to verify that it's possible to create a new user using the payload shown in our docs
• In Update Authentication Tutorial with UserCredentials  loopback-next#4201, I updated the relevant parts of "Authentication Tutorial" to match the updates made by this pull request
• Finally, in this pull request (e27afa7), I added UserCredentials model to README.

@emonddr @jannyHou LGTY now?

[emonddr]

In loopbackio/loopback-next#4201, I changed the example data in "Try it out" section to use a valid ObjectID value instead of 1

As I mentioned in the PR referenced above, if we are not going to pass in an easy id like 1, 2, or 3, etc but an Object ID (which is harder for a person to think of), let's just avoid passing an id value when POST-ing a new user in the Try it Out section of the document.

[emonddr]

See my most recent comment. thx.

[jannyHou]

👏