StrongLoop is pleased to announce the availability of LoopBack 1.3!
LoopBack is an open source, mobile backend framework built on Node.js, that enables you to connect mobile applications to your data. You can run LoopBack on-premise or in the cloud. StrongLoop offers support, training and professional services for LoopBack.
New in this release is support for access control lists (ACL). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
How does it work?
With LoopBack’s support for ACL you can authenticate mobile apps, users and/or devices who are calling APIs.
The authentication and authorization flow works like this:
1. Sign up a new application
- Generate application keys
- Create a new record for the application
2. Register a new user
- Create a new record for the user
3. Request an access token from the client on behalf of the user
- Authenticate the principals credentials
- Check the existence of scopes by name
- Check that the user authorized the app
- Store the various data points (User and App Id, Scope and “Time to Live” (TTL)
- Generate a token and store it
4. Invoke an API using the access token
- Find/validate the token
- Find/validate required scopes for the protected resource
- Establish the subject from the token
- Find ACLs for the target model
- Find roles for the given userId
- Check if the App and user Ids and roles pass the ACL
See it in action
Here’s an example on GitHub of how to get your application to use the new ACL feature.
Check out the documentation for an overview for ACL’s in LoopBack, including detailed docs on controlling data access and advanced topics like enabling access control manually or at runtime. Also, if you are looking for an architecture overview of how ACL is implemented in LoopBack, you can find it here.
- Learn more about LoopBack
- Install LoopBack with npm
- Read the LoopBack documentation
- Get the tech paper: “Mobilizing Enterprise Data with LoopBack Models”