Page Contents

The basic process for an application to create and authenticate users is:

  1. Register a new user with the User.create() method, inherited from the PersistedModel object. See Registering users for details.
  2. Call User.login() to request an access token from the client application on behalf of the user. See Logging in users for details.
  3. Invoke an API using the access token. Provide the access token in the HTTP header or as a query parameter to the REST API call, as illustrated below.

Making authenticated requests with access tokens

Once a user is logged in, LoopBack creates a new AccessToken referencing the user. This token is required when making subsequent REST requests for the access control system to validate that the user can invoke methods on a given Model.

shell

ACCESS_TOKEN=6Nb2ti5QEXIoDBS5FQGWIz4poRFiBCMMYJbYXSGHWuulOuy0GTEuGx2VCEVvbpBK

# Authorization Header
curl -X GET -H "Authorization: $ACCESS_TOKEN" \
http://localhost:3000/api/widgets

# Query Parameter
curl -X GET http://localhost:3000/api/widgets?access_token=$ACCESS_TOKEN

To use cookies for authentication, add the following to server.js (before boot):

/server/server.js

app.use(loopback.token({
    model: app.models.accessToken
}));

Using current user id as a literal in URLs for REST

To allow the current logged in user id for REST APIs,  configure the token middleware with currentUserLiteral options. 

/server/server.js

app.use(loopback.token({
    model: app.models.accessToken,
    currentUserLiteral: 'me'
}));

The currentUserLiteral defines a special token that can be used in the URL for REST APIs, for example:

curl -X GET http://localhost:3000/api/users/me/orders?access_token=$ACCESS_TOKEN

Please note the URL will be rewritten to http://localhost:3000/api/users/<currentLoggedInUserId>/orders?access_token=$ACCESS_TOKEN by LoopBack.

Deleting access tokens

A user will be effectively logged out by deleting the access token they were issued at login. This affects only the specified access token; other tokens attached to the user will still be valid.

/server/boot/script.js

var USER_ID = 1;
var ACCESS_TOKEN = '6Nb2ti5QEXIoDBS5FQGWIz4poRFiBCMMYJbYXSGHWuulOuy0GTEuGx2VCEVvbpBK';
// remove just the token
var token = new AccessToken({
  id: ACCESS_TOKEN
});
token.destroy();
// remove all user tokens
AccessToken.destroyAll({
  where: {
    userId: USER_ID
  }
});