How to access "current logged-in user" in remote methods?

Question

recently in one of my applications I needed to access currently logged-in user data for saving in another model (something like the author of a book or owner of a book). in my googling, I encountered these references but none of them was useful.

https://github.com/strongloop/loopback/issues/1495

https://docs.strongloop.com/display/public/LB/Using+current+context

...

all of them have this problem about accessing context or req object. after three days I decided to switch to afterRemote remote hook and add Owner or Author on that stage. but something was wrong with this solution.

in strongloop's documentations (https://docs.strongloop.com/display/public/LB/Remote+hooks) there is a variable as ctx.req.accessToken that saves current logged-in user access token. but in the application this variable is undefined. instead, I found accessToken in ctx.req.query.access_token and it was currently access_token variable that is sent to the server.

here is my problem:

1. is this variable (ctx.req.query.access_token) always available or it's just because loopback-explorer send access_token as GET variable?

2. in production mode do applications need to send access_token as GET variable or it should be sent as Authorization in the header?

3. why ctx.req.accessToken is undefined?

4. could these things change over time? cause most of users encounter this problem due to deprecation of app.getCurrentContext()

Answer 1

In the updated doc https://loopback.io/doc/en/lb3/Using-current-context.html

add this in your remoting metadata

"accepts": [
    {"arg": "options", "type": "object", "http": "optionsFromRequest"}
  ]

then

MyModel.methodName = function(options) {
   const token = options && options.accessToken;
   const userId = token.userId
}

but it says

In LoopBack 2.x, this feature is disabled by default for compatibility reasons. To enable, add "injectOptionsFromRemoteContext": true to your model JSON file.

so add "injectOptionsFromRemoteContext": true on your model.json file

Answer 2

1. Is this variable (ctx.req.query.access_token) always available or it's just because loopback-explorer send access_token as GET variable?

Well if your application always sends in the querystring, then it'll be always available for you, but it also sent in the header, or cookie or in the request body, but I don't suggest using it because it if the user logged in and the access token is valid and ctx.req.accessToken should be available and you can use it.

2. In production mode do applications need to send access_token as GET variable or it should be sent as Authorization in the header?

I believe Authorization header is preferred, as if you send it in a GET variable, well it'll be visible in the logs and someone with the access to the logs can access the session(well unless you trust everyone), other than this it's fine to have it in a GET variable. Though I believe loopback client SDKs(Angular, Android, iOS) all send it via Authorization header by default, so you might have to configure them(maybe not possible).

3. Why ctx.req.accessToken is undefined?

Sometimes the context is lost thanks to the database drivers connection pooling, or the context req is lost(ctx.req) and they are null. Assuming ctx.req is defined(because sometimes it's not), then probably that means the user is not logged it, or it's access token wasn't valid(expired or not in database). Also it could be a bug(maybe misconfiguration on your side), which also means for you that you will authentication problems.

4. Could these things change over time? cause most of users encounter this problem due to deprecation of app.getCurrentContext()

app.getCurrentContext is risky to use and I don't suggest unless you have no other solution. If you use it and it works, it might stop working if the database driver changes or in some corner cases that you haven't tested it, it might not work.