Pass auth header from client to loopback rest-connector

[ghost]

Feature request

• "x" Feature request

Description of feature (or steps to reproduce if bug)

Data can be passed to the rest-connector but it seems headers cannot. It would be useful to pass the Authorization header to the rest-connector for multi tenanted systems. Here is a link to what I am trying to do which promoted this request.

http://stackoverflow.com/questions/41573433/pass-basic-auth-from-angular-client-to-loopback-rest-connector

http://stackoverflow.com/questions/29899682/loopback-io-rest-connector-how-to-pass-through-oauth-token?

@bajtos

[raymondfeng]

Have you tried to use connector observer - https://github.com/strongloop/loopback-connector-rest/blob/master/test/rest-loopback.test.js#L180? It allows you to intercept the http req/res for the outbound REST call.

[ghost]

Hi Raymond, Yes I have (I think). I have a connector,js boot script that has the following,

JBConnector.observe('before execute', function(ctx, next)
}

The ctx object does not have the Authorisation header in it although I am sending it in the http.post request.

[raymondfeng]

Please note the ctx object is for the outbound http req/res to your REST API.

For your case, maybe the best option is as follows:

1. Add custom remote method which has the authorization arg from the incoming http
2. Configure your REST DS with authorization header as a variable in the template
3. In your custom remote method impl, pass in the authorization arg to the REST model call

We'll probably come up a better solution in LoopBack.next

[ghost]

Hi Raymond, Thanks for the info re the ctx object. Please see this is for my attempt http://stackoverflow.com/questions/41573433/pass-basic-auth-from-angular-client-to-loopback-rest-connector which is wrong. I understand your steps as this is similar logic to what I was trying to do. The question really is how does this work. Best,

[ghost]

Hello both, Did you guys get anywhere with an example of best practice for this issue?

Best,

[bajtos]

I think we may be able to leverage http://loopback.io/doc/en/lb3/Using-current-context.html to implement this feature:

• When a model is attached to REST connector, the connector should override Model'screateOptionsFromRemotingContext method with a custom implementation that will include request headers in the options argument
• Remote methods generated by REST connector should include options argument
• The configuration of remote methods should allow the users to tell which of the request headers should be passed through.

@raymondfeng thoughts?

[ghost]

Thanks for the input @bajtos. @raymondfeng are you able to weigh in with your thoughts on this?

Best,

[raymondfeng]

@bajtos +1. Let's create a user story to implement such enhancements (probably for all http related connectors).

[ghost]

Hi @bajtos @raymondfeng. There context for why I am trying to do this is to allow the api to enable multi tenancy. As well as providing "local" models the api talks to another independent system. This system uses basic auth. The api may have to communicate with various instances of this independent system and hence requires the auth header to be dynamically created through the rest connector. Does that make sense? I can work with a work around if you guys can provide a code example of this? Best,

[kalpana-ideas2it]

Hi @raymondfeng, Is there any possibility to give include, filter options in the rest-connector template?
Thanks in advance:)

[kreegr]

@NudgeTech -
For background, I have to request an access token and pass it in my auth header. Not wanting to re-write the default crud methods, I didn't want to use a template.

I was able to do this using the before execute hook @raymondfeng mentioned:

myDataSource.connector.observe('before execute', (ctx, next)=>{
   apiTokenPromise().then(ACCESS_TOKEN => {
     ctx.req.headers = {
        "authorization": `Bearer ${ACCESS_TOKEN}`
      };
      next();
  });
});

[kalpana-ideas2it]

Thank you @kreegr

[geocine]

How to do this on loopback 4?

[dejibimbolaAyo]

Hi, is there a "non-hacky" way to do this in LB4?

Would really appreciate...

[arunkumarreddygoluguri]

@kreegr Hi Any ideas on implementing this for loopback 4

[kreegr]

I’m sorry - I don’t (I haven’t tried because I haven’t used it yet)

[jannyHou]

I suggest we move the discussion to loopbackio/loopback-next#2381.