UNPKG

@loopback/docs

Version:

Documentation files rendered at [https://loopback.io](https://loopback.io)

github.com/loopbackio/loopback-next/tree/master/docs

loopbackio/loopback-next

91 lines (73 loc) 2.81 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
--- lang: en title: 'Authorization Decorators' keywords: LoopBack 4.0, LoopBack, Node.js, TypeScript, OpenAPI, Decorator, Authorization sidebar: lb4_sidebar permalink: /doc/en/lb4/Decorators_authorize.html --- ## Authorization Decorator Syntax: - `@authorize({resource: 'order', scopes: ['create']})` The authorization decorator is used to provide access control metadata. As part of the component [`@loopback/authorization`](../Authorization-component.md), it is applied to controller members and is used to specify who can perform which operations to the protected resource. The `@authorize` decorator takes in an object in type `AuthorizationMetadata`. The syntax example specifies the `resource` and `scopes`. A full list of the available configuration properties are: - `allowedRoles`/`deniedRoles`: Define the ACL based roles. It should be an array of strings. - `voters`: Supply a list of functions to vote on a decision about a subject's accessibility. A voter is a method or class level [authorizer](../Authorization-component-authorizer.md). - `resource`: Type of the protected resource, such as customer or order. - `scopes`: An array of the operations against the protected resource, such as get or delete. - `skip`: A boolean value to mark an endpoint/a controller skips the authorization. ### Method Level Decorator You can decorate a controller method with `@authorize` like the following example. It specifies every user can create a new order. {% include code-caption.html content="src/controllers/order.controller.ts" %} ```ts class OrderController { orders: Order[] = []; // User with role 'everyone' can create new order @authorize({ allowedRoles: ['everyone'], scopes: ['create'], resource: 'order', }) async placeOrder(order: Order) { order.id = `order-${this.orders.length + 1}`; this.orders.push(order); return order.id; } } ``` ### Class Level Decorator To configure a default authorization for all methods within a class, `@authorize` can also be applied at the class level. In the code below, remote method `numOfViews()` is protected with `ADMIN` role, while authorization for remote method `hello()` is skipped by the use of `@authorize.skip()`. ```ts @authorize({allowedRoles: ['ADMIN']}) export class MyController { @get('/number-of-views') numOfViews(): number { return 100; } @authorize.skip() @get('/hello') hello(): string { return 'Hello'; } } ``` ### Shortcuts We have a list of shortcut decorators to quickly configure the metadata. For instance, `authorize.allow(...roles: string[]` is short for `authorize({allowedRoles: roles})`; You can find all the shortcuts in the [`@authorize()` API documentation](https://loopback.io/doc/en/lb4/apidocs.authorization.authorize.html#variables).