user-order.controller.ts doesn't auth with @authenticate('jwt')

[lygstate]

user-order.controller.ts doesn't auth with @authenticate('jwt'),
besides, doesn't check the userId

    if (userId !== currentUser.id) {
      throw new HttpErrors.BadRequest(
        `User id does not match: ${userId} !== ${currentUser.id}`,
      );
    }

[jannyHou]

@lygstate

if (userId !== currentUser.id) {
      throw new HttpErrors.BadRequest(
        `User id does not match: ${userId} !== ${currentUser.id}`,
      );
    }

This is an authorization scenario which we are planning to implement after building the fundamental extensible authentication system.

[lygstate]

@jannyHou Sounds great, what's I can help.

[jannyHou]

@lygstate Thank you for being interested to help!

The story that tracks this change is loopbackio/loopback-next#1998, we are planning to add some abstractions in @loopback/authentication module then refactor this example repo to leverage them.
I will let you know if we decide story#1998 can start with the refactor in parallel or before it. And we can help you work on the PR that enable the auth for orders.

[bajtos]

Before the work on the actual authorization is started, perhaps @lygstate can contribute the authentication changes we left out of February milestone? Cross-posting from loopbackio/loopback-next#1998:

Rework UserOrderController to obtain the customer id from the request (the access token provided by the client) instead of a URL-path parameter.

For example, we can remove /users/{userId} prefix from all endpoints to end up with the following API:

• POST /orders creates a new order
• GET /orders returns all orders of the current user
• PATCH /orders?where= to update some of the orders of the current user. I think this endpoint does not make sense in a Shopping app and should be eventually removed.
• DELETE /orders?where= to delete some of the orders of the current user. I think this endpoint should be eventually removed, because orders are never deleted, they can be only closed (e.g. as cancelled).

Existing REST API exposed by UserController should remain unauthenticated (allowing anonymous access).

[jannyHou]

@bajtos Yeah sounds good 👍
Hi @lygstate would you be interested to submit a PR according to the description cross posted in #43 (comment)?

[austin047]

Hello, I am new to loopback4 and github in general.
I have basic knowledge on nodejs and express, i will like to work on this issue. I will be glad if i can get some hints on where to start.

[bajtos]

Hi @austin047, it's great to hear you are interested in helping out!

We have a detailed guide showing how to fork loopback-next repository on GitHub, create a feature branch, etc. see https://loopback.io/doc/en/lb4/submitting_a_pr.html

As for this particular task, you will need to make changes in the following files:

• src/controllers/user-order.controller.ts - the implementation
• test/acceptance/user-order.controller.acceptance.ts - the tests

Good luck 🍀

[austin047]

Thanks.

[dhmlau]

Closing as fixed.