Ad

Checking Query Arguments For Loopback ACLs To Allow `find`ing The User's Data Only

- 1 answer

I have two loopback services running independently in docker containers and they talk to each other.

One handles Users and the other handles some UserData associated with a User. They are connected via a remote connector on both servers that point to the other server.

When the current User updates their details on server A it needs to update some UserData on server B. Auth is done using JWT tokens, and I managed to get server A to forward the token it was given to server B.

The problem I am having is that user.data() on server A gets passed to the remote connector and turned into a query like /api/UserData/find?filter[where][userId]=2 on server B, but the ACLs on server B do not allow queries on find because then you could get everyone's data by just changing the where clause.

Is there a way to create a dynamic Role that lets a user filter by their own data? (ie, can I check the query params in the Role resolver somehow?)

Ad

Answer

The way I did this was to create a role that checks the arguments in the context.remotingContext.req and verifies that the where for the current user is included in the arguments.

Ad
source: stackoverflow.com
Ad