Authentication in LoopBack 4

At work I was assigned to a project for creating a REST API. Some people said me to try LoopBack 4, because it would allow me to create REST APIs in minutes and it is absolutely true.

Just to check it, I suggest you to follow the Todo Tutorial in LoopBack web. You do not need to do the Bonus point. With the above ones, you will have a simple REST API working.

When I was doing the Authentication, I could not find many resources to help me with it, so I decided to post it in order to help other developers in the future.

When you have your Todo Tutorial done, then we will continue with the Authentication.


First of all we will have to install the @loopback/authentication package:

npm install --save @loopback/authentication@1.1.2

Then, in our todo.controller.ts file we will add the @authenticate decorator to our GET /todos/count method, for example.

As you can see, we will be using a BearerStrategy for Authentication, this means, the users will be authenticated with a Bearer token.

After this, we will continue installing other packages.

npm install --save passport passport-http
npm install --save-dev @types/passport @types/passport-http
npm install --save passport-http-bearer
npm install --save @types/passport-http-bearer
npm install --save bcrypt
npm install --save @types/bcrypt
npm install --save jsonwebtoken
npm install --save @types/jsonwebtoken

When the installations are finished, we will have to create the strategy provider. The strategy provider will be managing the authentication.

As we can see, the strategy provider will receive the strategy that we set in our decorator (BearerStrategy in our case) and will execute the verify method. When the user is authenticated we will have to return cb(null, Object). In case that it is not authenticated, we will return cb(null, false). The verify method is checking that the given token is authenticated.

Now we will need to implement a custom Sequence in order to invoke the authentication at the right time during request handling.

Then we will use our strategy provider in our application.ts.

We wil create now our User model. To do this we need to run the following commands:

Then we will create the repository:

And the controller:

Now we should be able to test it. So we can start our REST API:

npm start

And do a request to the method we set the @authenticate decorator.

If it is correctly done, we should receive a 401 Unathorized Error.

After checking that it is working our @authenticate decorator we have now to hash with salt our users’ passwords. To do it, we will have to edit the user.controller.ts autogenerated file:

After this, we should be able to create new users with hashed password. To do it, start again the application and just send a POST request to /users endpoint. If you go now to the ./data/db.json file you will see the new created user with the hashed password.

To finish we will create an auth controller where the login will be implemented. Since we will use a token for the authentication, the login will give us back the token to be authenticated.

To create the controller, just create a new file in the /src/controllers folder named auth.controller.ts.

After creating this controller, we will be able to:

  1. Create our user with a POST /users.
  2. Login with the set user and password and get the token.
  3. Use the GET /todos/count endpoint with the token.

You can follow me on LinkedIn.