Skip to content

Warn on misconfigured access token user #3231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bajtos merged 4 commits into from
Mar 3, 2017
Merged

Warn on misconfigured access token user #3231

bajtos merged 4 commits into from
Mar 3, 2017
+170 −37

Conversation

@bajtos
Copy link
Member

@bajtos bajtos commented Feb 24, 2017

Description

Verify User and AccessToken relations at startup Modify app.enableAuth() to verify that (custom) User and AccessToken models have correctly configured their hasMany/belongsTo relations and print a warning otherwise.

As I was fixing the tests reporting this new warning, I discovered few other issues that I needed to fix first - see the first three commits abf8246, c45954c and f0c9700.

The warning and the tests are fixed by the last commit f0d6416.

I think we should wait with merging this pull request until there is a doc page written where we explain users how to fix this problem, so that we can add URL of this doc page to the new warnings.

cc @ebarault @greaterweb

Related issues

Checklist

  • New tests added or existing tests modified to cover all changes
  • Code conforms with the style
    guide

@bajtos
Fix test/access-token.test to use local registry
abf8246
@bajtos
Use local registry in test/replication.rest.test
c45954c
@bajtos
Deep-clone model settings in lib/builtin-models
f0c9700 
Fix the code loading builtin models to always clone the JSON object
used as model settings/definition. This is needed to allow applications
to modify model settings while not affecting settings of new models
created in the local registry of another app.
@bajtos bajtos added the feature label Feb 24, 2017
@bajtos bajtos self-assigned this Feb 24, 2017
raymondfeng
raymondfeng reviewed Feb 24, 2017
View reviewed changes
lib/builtin-models.js
// Because we are cloning objects created by JSON.parse,
// the cloning algorithm can stay much simpler than a general-purpose
// "cloneDeep" e.g. from lodash.
function cloneDeepJson(obj) {
Copy link
Member

@raymondfeng raymondfeng Feb 24, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should be fine to use lodash as it's one-time charge.

Copy link
Member Author

@bajtos bajtos Feb 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are trying to avoid using lodash in our runtime code in order to keep the size of browserified bundle small (see #989). lodash contributes about 350kb unminified and increases the bundle size by approx 20% - see loopbackio/loopback-datasource-juggler#538.

raymondfeng
raymondfeng approved these changes Feb 24, 2017
View reviewed changes
Copy link
Member

@raymondfeng raymondfeng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work! I like the defensive approach.

@greaterweb
Copy link
Contributor

greaterweb commented Feb 26, 2017

Nice work on this, @bajtos!

I've tested this branch in the sample repo I was working with for #3215. I do get the warning for 2 different scenarios I tried:

In both cases the User model is not included in the model-config.json file.

The unusual thing though is in my other personal project I've been testing against, I don't get the warning message when using the same warn-on-misconfigured-accessToken-user branch. The project is consistent with the second scenario above, a custom user model is used. I don't configure any relationships with the AccessToken model so it's a little confusing why it's not triggering the warning message.

What I suspect is somewhere in my customization of my user model Loopback is being fooled into thinking my model is the same as the User model. This is consistent with the fact all of my access control related tests are passing even though a relationship with AccessToken is not configured. I'll investigate this further and report back.

@greaterweb greaterweb mentioned this pull request Feb 26, 2017
Closed
@bajtos
Copy link
Member Author

bajtos commented Feb 27, 2017

@raymondfeng @superkhau @alshamiri1 thank you for the review!

@greaterweb

What I suspect is somewhere in my customization of my user model Loopback is being fooled into thinking my model is the same as the User model. This is consistent with the fact all of my access control related tests are passing even though a relationship with AccessToken is not configured. I'll investigate this further and report back.

AFAIK, we don't have any code in LoopBack that is depending on AccessToken belongsTo User relation (after #3227 was landed). I would be surprised if your access control tests were failing because of this missing relation, as long as you are not relying on this relation in your test code by calling accessToken.user(function(err, u) {...}).

The unusual thing though is in my other personal project I've been testing against, I don't get the warning message when using the same warn-on-misconfigured-accessToken-user branch.

That's suspicious, I agree.

@bajtos
Verify User and AccessToken relations at startup
79f441b 
Modify `app.enableAuth()` to verify that (custom) User and AccessToken
models have correctly configured their hasMany/belongsTo relations
and print a warning otherwise.
@bajtos bajtos force-pushed the warn-on-misconfigured-accessToken-user branch from f0d6416 to 79f441b Compare March 3, 2017 09:25
bajtos
bajtos commented Mar 3, 2017
View reviewed changes
lib/application.js
'This typically happens when the application has a custom ' +
'custom User subclass, but does not fix AccessToken relations ' +
'to use this new model.\n' +
'Learn more at http://ibm.biz/setup-loopback-auth',
Copy link
Member Author

@bajtos bajtos Mar 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@crandmck I setup http://ibm.biz/setup-loopback-auth shortcut to point to http://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html#preparing-access-control-models. If/when you move the setup instructions to a different page, then we need to change the target url of the shortcut http://ibm.biz/setup-loopback-auth points to.

@bajtos bajtos mentioned this pull request Mar 3, 2017
Merged
@bajtos bajtos merged commit ed4f56c into master Mar 3, 2017
@bajtos bajtos deleted the warn-on-misconfigured-accessToken-user branch March 3, 2017 09:57
@bajtos bajtos removed the review label Mar 3, 2017
@crandmck crandmck mentioned this pull request Mar 8, 2017
Closed
@ebarault ebarault mentioned this pull request Mar 9, 2017
Closed
2 tasks
@ebarault ebarault mentioned this pull request Mar 24, 2017
Closed
1 task
@bajtos bajtos mentioned this pull request Jun 26, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raymondfeng raymondfeng raymondfeng approved these changes

+1 more reviewer

@superkhau superkhau superkhau approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bajtos bajtos

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bajtos @greaterweb @raymondfeng @superkhau