Registering the Authorization Component
The @loopback/authorization package exports an
Authorization Component
class.
-
Developers will have to register this component to use access control features in their application.
const options: AuthorizationOptions = { precedence: AuthorizationDecision.DENY, defaultDecision: AuthorizationDecision.DENY, }; app.configure(AuthorizationBindings.COMPONENT).to(options); app.component(AuthorizationComponent); -
The authorization
optionsare provided specifically for enforcing the decision matrix, which is used to combine voters from allauthorizefunctions. The options are described per the interface AuthorizationOptions.export interface AuthorizationOptions { /** * Default decision if all authorizers vote for ABSTAIN */ defaultDecision?: AuthorizationDecision.DENY | AuthorizationDecision.ALLOW; /** * Controls if Allow/Deny vote takes precedence and override other votes */ precedence?: AuthorizationDecision.DENY | AuthorizationDecision.ALLOW; }
The component also declares various types to use in defining necessary classes and inputs by developers.
-
Authorizer: A class implementing access policies. AcceptsAuthorizationContextandAuthorizationMetadataas input and returns anAuthorizationDecision. -
AuthorizationDecision: expected type to be returned by anAuthorizer -
AuthorizationMetadata: expected type of the authorization spec passed to the decorator used to annotate a controller method. Also provided as input parameter to theAuthorizer. -
AuthorizationContext: contains current principal invoking an endpoint, request context and expected roles and scopes. -
Enforcer: type of extension classes that provide authorization services for anAuthorizer. -
AuthorizationRequest: type of the input provided to anEnforcer. -
AuthorizationError: expected type of the error thrown by anAuthorizer.