LoopBack's built-in User model provides essential user management features.
Page Contents

Overview

LoopBack’s built-in User model provides essential user management features such as:

  • Registration and confirmation via email.
  • Login and logout.
  • Creating an access token.
  • Password reset.

Watch this video for an introduction to user management in LoopBack:

Creating and authenticating users

The basic process to create and authenticate users is:

  1. Register a new user with the User.create() method, inherited from the generic PersistedModel object. See Registering users for more information.
  2. Log in a user by calling User.login() to get an access token. See Logging in users for more information.
  3. Make subsequent API calls using the access token. Provide the access token in the HTTP header or as a query parameter to the REST API call, as shown in  Making authenticated requests with access tokens.

Performance tip

To improve performance during login and user creation, try installing native bcrypt.

$ npm install --save bcrypt

Understanding the built-in User model

By default, a LoopBack application has a built-in User model  defined by user.json (this file is part of the LoopBack framework. Don’t modify it; rather, follow the procedure in Extending built-in models).

Default access controls

The built-in User model has the following ACL:

{
  "name": "User",
  "properties": {
    ...
    "acls": [{
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "create"
    }, {
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "deleteById"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "login"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "logout"
    }, {
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "findById"
    }, {
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "updateAttributes"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "confirm"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "resetPassword",
      "accessType": "EXECUTE"
    }],
    //...
  }
}

The above ACL denies all operations to everyone, then selectively allows:

User realms

See Partitioning users with realms.

Security considerations

See Access token invalidation.