环回IO OAuth不起作用

Question

I am trying to get a https loopback server up and running protected by OAuth. I am using the loopback gateway sample project as a reference. But for some reason I can't get the OAuth piece to work. What I mean is, even after adding in the OAuth bits and pieces, the APIs don't seem to be protected. I get a response back even if there is no token in my request. This is what my server.js looks like

 var loopback = require('loopback'); var boot = require('loopback-boot'); var https = require('https'); var path = require('path'); var httpsRedirect = require('./middleware/https-redirect'); var site = require('./site'); var sslConfig = require('./ssl-config'); var options = { key: sslConfig.privateKey, cert: sslConfig.certificate }; var app = module.exports = loopback(); // Set up the /favicon.ico app.middleware('initial', loopback.favicon()); // request pre-processing middleware app.middleware('initial', loopback.compress()); app.middleware('session', loopback.session({ saveUninitialized: true, resave: true, secret: 'keyboard cat' })); // -- Add your pre-processing middleware here -- // boot scripts mount components like REST API boot(app, __dirname); // Redirect http requests to https var httpsPort = app.get('https-port'); app.middleware('routes', httpsRedirect({httpsPort: httpsPort})); var oauth2 = require('loopback-component-oauth2')( app, { // Data source for oAuth2 metadata persistence dataSource: app.dataSources.pg, loginPage: '/login', // The login page url loginPath: '/login' // The login processing url }); app.set('view engine', 'ejs'); app.set('views', path.join(__dirname, 'views')); // Set up login/logout forms app.get('/login', site.loginForm); app.get('/logout', site.logout); app.get('/account', site.account); app.get('/callback', site.callbackPage); var auth = oauth2.authenticate({session: false, scope: 'demo'}); app.use(['/protected', '/api', '/me', '/_internal'], auth); app.get('/me', function(req, res) { // req.authInfo is set using the `info` argument supplied by // `BearerStrategy`. It is typically used to indicate scope of the token, // and used in access control checks. For illustrative purposes, this // example simply returns the scope in the response. res.json({ 'user_id': req.user.id, name: req.user.username, accessToken: req.authInfo.accessToken }); }); signupTestUserAndApp(); //var rateLimiting = require('./middleware/rate-limiting'); //app.middleware('routes:after', rateLimiting({limit: 100, interval: 60000})); //var proxy = require('./middleware/proxy'); //var proxyOptions = require('./middleware/proxy/config.json'); //app.middleware('routes:after', proxy(proxyOptions)); app.middleware('files', loopback.static(path.join(__dirname, '../client/public'))); app.middleware('files', '/admin', loopback.static(path.join(__dirname, '../client/admin'))); // Requests that get this far won't be handled // by any middleware. Convert them into a 404 error // that will be handled later down the chain. app.middleware('final', loopback.urlNotFound()); // The ultimate error handler. app.middleware('final', loopback.errorHandler()); app.start = function(httpOnly) { if(httpOnly === undefined) { httpOnly = process.env.HTTP; } server = https.createServer(options, app); server.listen(app.get('port'), function() { var baseUrl = (httpOnly? 'http://' : 'https://') + app.get('host') + ':' + app.get('port'); app.emit('started', baseUrl); console.log('LoopBack server listening @ %s%s', baseUrl, '/'); }); return server;}; // start the server if `$ node server.js` if (require.main === module) { app.start(); } function signupTestUserAndApp() { // Create a dummy user and client app app.models.User.create({username: 'bob', password: 'secret', email: 'foo@bar.com'}, function(err, user) { if (!err) { console.log('User registered: username=%s password=%s', user.username, 'secret'); } // Hack to set the app id to a fixed value so that we don't have to change // the client settings app.models.Application.beforeSave = function(next) { this.id = 123; this.restApiKey = 'secret'; next(); }; app.models.Application.register( user.username, 'demo-app', { publicKey: sslConfig.certificate }, function(err, demo) { if (err) { console.error(err); } else { console.log('Client application registered: id=%s key=%s', demo.id, demo.restApiKey); } } ); }); } 

I don't get any errors when the server starts up. Thoughts?

Answer 1

Got it figured. More information here https://github.com/strongloop/loopback-gateway/issues/17 , but basically I had my rest-api middleware not configured right.