Configure ACL’s to protect the LoopBack API

Share this video with your friends

Send Tweet

In this lesson we will learn how to protect our API using ACL’s.

ACL stands for Access Control List and it's function is to control permissions of resources in the API. It does this by keeping a mapping between an API resource and a principal. An API resource as an API endpoint like a remote method or a whole model. A principal in LoopBack are users or applications that can be grouped in a role.

In order to get the API production ready we will protect a selection of our REST endpoints with ACL’s. We will look at how we can obtain an access token and how we can use that in our requests.

Finally we will write some unit tests to make sure that the ACL does what we expect. We enhance our test setup by exporting request with is provided by the supertest library.

In our tests we use request to verify that our endpoints return the correct HTTP status code.

Gavin
Gavin
~ 7 years ago

Hello, So far I have really enjoyed your course. I am having an issue with the buy now though. I did fix the 401 by adding the buy property to the ACL but now I am getting a 400 "Bad Request" with the following code:

<pre> it('should return 200 when buying a Product', function() { return app.models.Product.create({ name: 'Test', price: 100 }) .then(res => request .post(`/api/Products/${res.id}/buy`) .send({ quantity: 100 }) .expect(200)); }); </pre>

What am I missing?

Thanks again for your great courses.

Gavin
Gavin
~ 7 years ago

Never mind, if I could spell it would help! I saw the problem, it was the mis-spelling of quantity in the product.js file.

Martin Christov
Martin Christov
~ 7 years ago

Hey man, You say in the description "We will look at how we can obtain an access token and how we can use that in our requests." But you never did :/

PS: Nevermind. I should have played the next video first :)