我试图将我从访问控制示例中学到的内容改编成一个非常简单的api,现在有一个管理员用户帐户可以登录并创建一个"发布"。我能够记录用户并获取访问令牌,但是,当我尝试发布到我的发布端点时,我不断收到401 Unauthorized
错误。我整天都被困在这一天。我一直在寻找并且没有找到关于这个问题的任何信息。帮助将不胜感激。
以下是我跑步时的输出
DEBUG=loopback:security:* slc run
:
lopback:security:role isInRole(): admin +10s
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":1} +0ms
loopback:security:access-context modelName publication +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property create +0ms
loopback:security:access-context method create +0ms
loopback:security:access-context accessType WRITE +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context id "HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb" +0ms
loopback:security:access-context ttl 1209600 +0ms
loopback:security:access-context getUserId() 1 +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role isInRole(): $everyone +1ms
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":1} +0ms
loopback:security:access-context modelName publication +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property create +0ms
loopback:security:access-context method create +0ms
loopback:security:access-context accessType WRITE +0ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context id "HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb" +1ms
loopback:security:access-context ttl 1209600 +0ms
loopback:security:access-context getUserId() 1 +0ms
loopback:security:access-context isAuthenticated() true +0ms
loopback:security:role Custom resolver found for role $everyone +0ms
loopback:security:role Role found: {"id":1,"name":"admin","created":"2014-12-17T21:02:30.442Z","modified":"2014-12-17T21:02:30.442Z"} +0ms
loopback:security:role Role mapping found: null +2ms
loopback:security:role isInRole() returns: false +0ms
loopback:security:acl The following ACLs were searched: +0ms
loopback:security:acl ---ACL--- +0ms
loopback:security:acl model publication +0ms
loopback:security:acl property * +0ms
loopback:security:acl principalType ROLE +1ms
loopback:security:acl principalId $everyone +0ms
loopback:security:acl accessType * +0ms
loopback:security:acl permission DENY +0ms
loopback:security:acl with score: +0ms 7495
loopback:security:acl ---Resolved--- +0ms
loopback:security:access-context ---AccessRequest--- +0ms
loopback:security:access-context model publication +0ms
loopback:security:access-context property create +1ms
loopback:security:access-context accessType WRITE +0ms
loopback:security:access-context permission DENY +0ms
loopback:security:access-context isWildcard() false +0ms
loopback:security:access-context isAllowed() false +0ms
公共/模型/ publication.json
{
"name": "publication",
"base": "PersistedModel",
"idInjection": true,
"properties": {
"name": {
"type": "string",
"required": true
},
"price": {
"type": "number",
"required": true
}
},
"validations": [],
"relations": {},
"acls": [
{
"accessType": "*",
"principalType": "ROLE",
"principalId": "$everyone",
"permission": "DENY"
},
{
"accessType": "WRITE",
"principalType": "ROLE",
"principalId": "admin",
"permission": "ALLOW",
"property": "create"
}
],
"methods": []
}
服务器/ database.json
{
"ids": {
"User": 1,
"AccessToken": 2,
"ACL": 1,
"RoleMapping": 1,
"Role": 1,
"publication": 1,
"account": 3
},
"models": {
"User": {},
"AccessToken": {
"HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb": "{\"id\":\"HtEgTxkSSROIJEfZiB3AObXnWVGGZ0VoFkNDX7jie8HHZh8nHv5vNzGDEgNWiBCb\",\"ttl\":1209600,\"created\":\"2014-12-17T21:02:48.103Z\",\"userId\":1}"
},
"ACL": {},
"RoleMapping": {
"1": "{\"id\":1,\"principalType\":\"USER\",\"roleId\":1}"
},
"Role": {
"1": "{\"id\":1,\"name\":\"admin\",\"created\":\"2014-12-17T21:02:30.442Z\",\"modified\":\"2014-12-17T21:02:30.442Z\"}"
},
"publication": {},
"account": {
"1": "{\"fullname\":\"Jane Doe\",\"username\":\"janed\",\"password\":\"$2a$10$PWkG/Y.Jb9w25xtxZwUt/.WOQRZTVgIdKTalGVoCyBE3PoDqD9tK6\",\"email\":\"jane.doe@example.com\",\"id\":1}",
"2": "{\"fullname\":\"John Doe\",\"username\":\"johnd\",\"password\":\"$2a$10$dD6r9NmV18R.epAg8.FuvuluQoJfIPMnUw9nGVFivu94PeKp0aKja\",\"email\":\"john.doe@example.com\",\"id\":2}"
}
}
}
修改:
一些进展,我注意到在创建测试数据时没有设置角色映射的主要ID。我已经解决了,但是,角色映射仍然没有找到。
编辑2 :
实际上这确实是问题,我在修复principalId
后测试了错误的终点。现在可以测试创建端点。
答案 0 :(得分:1)
在设置测试数据时结果我没有正确设置主体ID。我正在使用
var accounts = [{
username: 'janed',
email: 'jane.doe@example.com',
fullname: 'Jane Doe',
password: 'secret'
}, {
username: 'johnd',
email: 'john.doe@example.com',
fullname: 'John Doe',
password: 'secret'
}];
accounts.forEach(function (account) {
Account.create(account, function(err, result) {
//...
role.principals.create({
principalType: RoleMapping.USER,
principalId: account.id // <-- undefined! should use result.id
});
//...
一旦我将主要ID切换为使用result.id
,ACL就开始工作了。
答案 1 :(得分:0)
我成功使用了过去4个月的环回和非常高流量的应用,即使我在启动时遇到了这个问题,如果你检查了你提到的日志,它清楚地表明不允许访问
loopback:security:acl permission DENY +0ms
loopback:security:access-context permission DENY +0ms
你可以做很多事情来检查它,
首先给$ everyone创建访问并检查它是否正常工作,然后你可以改变对$ authenticated的访问权限,并检查,如果以后一个工作则意味着,ACL是好的,那里是角色或角色映射的一些问题。
尝试使用acl生成器首次创建一个acl: - slc loopback:acl
它将指导您自己创建acl。