User REST API | LoopBack Documentation

The built-in User model represents an application end-user.

Note: You can use the StrongLoop API Explorer to quickly construct and make requests to a LoopBack app running on the server. If a LoopBack app is running on localhost at port 3000, then by default API Explorer is available at http://localhost:3000/explorer/.

All of the endpoints in the table below are inherited from PersistedModel REST API, except for the following:

Log in user - POST /users/login
Log out user - POST /users/logout
Confirm email address - GET /users/confirm
Reset password - POST /users/reset

Quick reference

URI Pattern	HTTP Verb	Default Permission	Description	Arguments
`/users`	POST	Allow	Add user instance and persist to data source. Inherited from PersistedModel API.	JSON object (in request body) providing User object properties: `username`, `password`, `email`. LoopBack sets values for `emailVerified` and `verificationToken`. NOTE: A value for `username` is not required, but a value for `email` is. LoopBack validates a unique value for `password` is provided. LoopBack does not automatically maintain values of the `created` and `lastUpdated` properties; you can set them manually if you wish.
`/users`	GET	Deny	Find matching instances of users that match specified filter. Inherited from PersistedModel API.	One or more filters in query parameters: where include order limit skip / offset fields
`/users`	PUT	Deny	Update / insert user instance and persist to data source. Inherited from PersistedModel API.	JSON object (in request body) Same as for `POST /users`
`/users/id`	GET	Deny	Find user by ID: Return data for the specified user ID. Inherited from PersistedModel API.	id, the user ID (in URI path)
`/users/id`	PUT	Deny	Update user attributes for specified user ID and persist. Inherited from PersistedModel API.	Query parameters: data An object containing property name/value pairs id The model id
`/users/id`	DELETE	Deny	Delete user with specified instance ID. Inherited from PersistedModel API.	id, user ID (in URI path)
`/users/id/accessTokens`	GET	Deny	Returns access token for specified user ID.	id, user ID, in URI path where in query parameters
`/users/id/accessTokens`	POST	Deny	Create access token for specified user ID.	id, user ID, in URI path
`/users/id/accessTokens`	DELETE	Deny	Delete access token for specified user ID.	id, user ID, in URI path
`/users/confirm`	GET	Deny	Confirm email address for specified user.	Query parameters: uid token redirect
`/users/count`	GET	Deny	Return number of user instances that match specified where clause. Inherited from PersistedModel API.	"Where" filter specified in query parameter
`/users/id/exists`	GET	Deny	Check instance existence: Return true if specified user ID exists. Inherited from PersistedModel API.	URI path: users - Model name id - Model instance ID
`/users/findOne`	GET	Deny	Find first user instance that matches specified filter. Inherited from PersistedModel API.	One or more filters in query parameters: where include order limit skip / offset fields
`/users/login[?include=user]`	POST	Allow	Log in the specified user.	Username and password in POST body. If query parameter is `include=user`, then returns the user object.
`/users/logout`	POST	Allow	Log out the specified user.	Access token in POST body.
`/users/reset`	POST		Reset password for the specified user.	In POST body

Log in user

POST /users/login

You must provide a username or an email, and the password in the request body. To ensure these values are encrypted, include these as part of the body and make sure you are serving your app over HTTPS (through a proxy or using the HTTPS node server).

You may also specify how long you would like the access token to be valid by providing a ttl (time to live) property with value in seconds.

Example

Request URL: POST http://localhost:3000/users/login

Request body:

{
    "email": "foo@bar.com",
    "password": "bar",
    "ttl": 86400
  }

Response status code: 200

Response body:

{
  "id": "PqosmmPCdQgwerDYwQcVCxMakGQV0BSUwG4iGVLvD3XUYZRQky1cmG8ocmzsVpEE",
  "ttl": 86400,
  "created": "2014-12-23T08:31:33.464Z",
  "userId": 1
}

The access token for the user’s session is returned in the id key of the response. It must be specified in the query parameter access_token for all the APIs that requires the user to be logged in. For example:

http://localhost:3000/api/Users/logout?access_token=PqosmmPCdQgwerDYwQcVCxMakGQV0BSUwG4iGVLvD3XUYZRQky1cmG8ocmzsVpEE.

Log out user

POST /users/logout

Example

Request URL: POST http://localhost:3000/api/Users/logout?access_token=PqosmmPCdQgwerDYwQcVCxMakGQV0BSUwG4iGVLvD3XUYZRQky1cmG8ocmzsVpEE.

Response status code: 204

Confirm email address

Require a user to verify their email address before being able to login. This will send an email to the user containing a link to verify their address. Once the user follows the link they will be redirected to web root (“/”) and will be able to login normally.

GET /users/confirm

Parameters

Query parameters:

uid
token
redirect

Return value

If token invalid: HTTP 400

If user not found: HTTP 404

If successful: HTTP 204

Reset password

POST /users/reset

Parameters

POST payload:

{
  "email": "foo@bar.com"
  ...
}

Return value

200 OK

You must the handle the ‘resetPasswordRequest' event to send a reset email containing an access token to the correct user.

The example below shows how to get an access token that a user can use to reset their password.

common/models/user.js

User.on('resetPasswordRequest', function (info) {
  console.log(info.email); // the email of the requested user
  console.log(info.accessToken.id); // the temp access token to allow password reset

  // requires AccessToken.belongsTo(User)
  info.accessToken.user(function (err, user) {
    console.log(user); // the actual user
  });
});

See also Verifying email addresses (Registering users).

Tags: models