LoopBack's built-in User model provides essential user management features.
Page Contents

Overview

LoopBack’s built-in User model provides essential user management features such as:

  • Registration and confirmation via email.
  • Login and logout.
  • Creating an access token.
  • Password reset.

Watch this video for an introduction to user management in LoopBack:

Creating and authenticating users

The basic process to create and authenticate users is:

  1. Register a new user with the User.create() method, inherited from the generic PersistedModel object. See Registering users for more information.
  2. Log in a user by calling User.login() to get an access token. See Logging in users for more information.
  3. Make subsequent API calls using the access token. Provide the access token in the HTTP header or as a query parameter to the REST API call, as shown in  Making authenticated requests with access tokens.

Performance tip

To improve performance during login and user creation, try installing native bcrypt.

$ npm install --save bcrypt

Understanding the built-in User model

By default, a LoopBack application has a built-in User model  defined by user.json (this file is part of the LoopBack framework. Don’t modify it; rather, follow the procedure in Extending built-in models).

Default access controls

The built-in User model has the following ACL:

{
  "name": "User",
  "properties": {
    ...
    "acls": [{
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "DENY"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "create"
    }, {
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "deleteById"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "login"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "logout"
    }, {
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "findById"
    }, {
      "principalType": "ROLE",
      "principalId": "$owner",
      "permission": "ALLOW",
      "property": "updateAttributes"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "confirm"
    }, {
      "principalType": "ROLE",
      "principalId": "$everyone",
      "permission": "ALLOW",
      "property": "resetPassword",
      "accessType": "EXECUTE"
    }],
    //...
  }
}

The above ACL denies all operations to everyone, then selectively allows:

User realms

See Partitioning users with realms.

Security considerations

When a user’s account is compromised (for example their password is leaked or the attacker gains access to their email account), the app needs to be able to prevent continued use of the hijacked account.

To address this case, LoopBack invalidates access tokens (logs out sessions) when a change of password or email is detected. The access token used to request the change (the current session) is preserved.