UnauthorizedError !

[mbnoimi]

Whenever I call /auth/login-token or /auth/login I get the following response:
Request:

{
  "client_id": "webapp",
  "client_secret": "saqw21!@",
  "username": "super_admin",
  "password": "test123!@#"
}

Response:

{
  "error": {
    "statusCode": 401,
    "name": "UnauthorizedError",
    "message": {}
  }
}

.env:

NODE_ENV=production
LOG_LEVEL=info
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=123654789
DB_DATABASE=todolist
DB_SCHEMA=lbstarter
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_URL=
REDIS_PASSWORD=
REDIS_DATABASE=0
JWT_SECRET=plmnkoxswqaz
JWT_ISSUER=lb_api
AUDIT_SCHEMA=logs
USER_TEMP_PASSWORD=temp123!@#
GOOGLE_AUTH_URL=
GOOGLE_AUTH_CLIENT_ID=
GOOGLE_AUTH_CLIENT_SECRET=
GOOGLE_AUTH_TOKEN_URL=
GOOGLE_AUTH_CALLBACK_URL=
DEFAULT_ROLE=super_admin

DB structure:

More info:

$ npm ls --prod --depth 0 | grep loopback
[email protected] /home/laptop/loopback4-starter
├── @loopback/[email protected]
├── @loopback/[email protected]
├── @loopback/[email protected]
├── @loopback/[email protected]
├── @loopback/[email protected]
├── @loopback/[email protected]
├── @loopback/[email protected]
├── @loopback/[email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
$

NOTE: I tried to use both options JWT_SECRET=plmnkoxswqaz & JWT_SECRET=plmnkoqazxsw, but I always get the same result.

[mbnoimi]

I tried to set DB_SCHEMA=todolist but I still get the same result.
I suspect there is something wrong in the dependencies, but I couldn't catch it

[samarpan-b]

I'll check and get back to you

[mbnoimi]

I'll check and get back to you

Thanks in advance.

I'm not sure if this related, but I preferred to report it just to take in the consideration.

$ npm audit fix
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: versions < v5.0.0 do not handle NUL in passwords properly
npm WARN deprecated [email protected]: Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future

added 19 packages, removed 17 packages, changed 37 packages, and audited 717 packages in 10s

5 packages are looking for funding
  run `npm fund` for details

# npm audit report

bcrypt  <5.0.0
Severity: moderate
Inadequate Encryption Strength - https://npmjs.com/advisories/1553
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/bcrypt

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix`
node_modules/rc/node_modules/minimist

2 vulnerabilities (1 low, 1 moderate)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[mbnoimi]

I tried to update the packages using npm-check-updates but I get the following errors (usually it's working fine LB projects):

$ ncu -u
Upgrading /home/laptop/loopback4-starter/package.json
[====================] 31/31 100%

 @loopback/boot                   ^1.4.4  →     ^3.2.1     
 @loopback/context               ^1.20.2  →    ^3.14.1     
 @loopback/core                   ^1.8.5  →    ^2.14.1     
 @loopback/openapi-v3             ^1.7.0  →     ^5.1.4     
 @loopback/repository             ^1.8.2  →     ^3.4.1     
 @loopback/rest                  ^1.16.3  →     ^9.1.3     
 @loopback/rest-explorer          ^1.2.5  →     ^3.1.0     
 @loopback/service-proxy          ^1.2.3  →     ^3.0.7     
 bcrypt                           ^3.0.6  →     ^5.0.1     
 db-migrate                     ^0.11.11  →   ^0.11.12     
 dotenv                           ^8.0.0  →     ^8.2.0     
 dotenv-extended                  ^2.4.0  →     ^2.9.0     
 lodash                         ^4.17.19  →   ^4.17.21     
 loopback-connector               ^4.8.0  →     ^5.0.1     
 loopback-connector-kv-redis      ^3.0.1  →     ^4.0.0     
 loopback-connector-postgresql    ^3.7.0  →     ^5.3.0     
 loopback4-authentication         ^2.1.1  →     ^4.1.0     
 loopback4-authorization          ^2.3.2  →     ^3.2.0     
 loopback4-soft-delete            ^1.2.0  →     ^3.1.0     
 @loopback/build                  ^2.0.5  →     ^6.2.9     
 @loopback/testlab                ^1.6.3  →    ^3.2.12     
 @types/jsonwebtoken              ^8.3.2  →     ^8.5.0     
 @types/node                    ^10.11.2  →  ^14.14.31     
 eslint                           ^6.0.1  →    ^7.20.0     
 tslint                          ^5.18.0  →    ^5.20.1     
 typescript                       ^3.5.2  →     ^4.2.2     

Run npm install to install new versions.

$ npm install
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: @loopback/[email protected]
npm ERR! node_modules/@loopback/boot
npm ERR!   @loopback/boot@"^3.2.1" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @loopback/boot@"^2.1.2" from [email protected]
npm ERR! node_modules/loopback4-authentication
npm ERR!   loopback4-authentication@"^4.1.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /home/laptop/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/laptop/.npm/_logs/2021-02-27T07_35_37_865Z-debug.log

[samarpan-b]

@mbnoimi I'll try to upgrade this starter kit to latest LB4 versions over this weekend. Or, if you want to contribute, it will be just fine. But seems like you are facing issues. Let me know.

[samarpan-b]

I just merged one PR -> #65 which upgrades some of the LB4 deps. Can you please check now ?

[mbnoimi]

Can you please check now ?

Now, I'm able to see a more detailed error message as following:

{
  "error": {
    "statusCode": 401,
    "name": "UnauthorizedError",
    "message": {
      "length": 177,
      "name": "error",
      "severity": "ERROR",
      "code": "42703",
      "hint": "Perhaps you meant to reference the column \"auth_clients.deleted\".",
      "position": "18",
      "file": "parse_relation.c",
      "line": "3504",
      "routine": "errorMissingColumn"
    }
  }
}

But to be accurate. You didn't update the project to recent packages because I'm still see a differences:

[samarpan-b]

Yes I didn't. This was an old PR from another contributor which I merged.

[samarpan-b]

Can you please check now ?

Now, I'm able to see a more detailed error message as following:

{
  "error": {
    "statusCode": 401,
    "name": "UnauthorizedError",
    "message": {
      "length": 177,
      "name": "error",
      "severity": "ERROR",
      "code": "42703",
      "hint": "Perhaps you meant to reference the column \"auth_clients.deleted\".",
      "position": "18",
      "file": "parse_relation.c",
      "line": "3504",
      "routine": "errorMissingColumn"
    }
  }
}

But to be accurate. You didn't update the project to recent packages because I'm still see a differences:

Now this error means we are trying to reference a non existing column. Can you show me your auth-client.model.ts ?

[mbnoimi]

Can you show me your auth-client.model.ts ?

import {model, property} from '@loopback/repository';
import {IAuthClient} from 'loopback4-authentication';

import {BaseEntity} from './base-entity.model';

@model({
  name: 'auth_clients',
})
export class AuthClient extends BaseEntity implements IAuthClient {
  @property({
    type: 'number',
    id: true,
  })
  id?: number;

  @property({
    type: 'string',
    required: true,
    name: 'client_id',
  })
  clientId: string;

  @property({
    type: 'string',
    required: true,
    name: 'client_secret',
  })
  clientSecret: string;

  @property({
    type: 'string',
    required: true,
  })
  secret: string;

  @property({
    type: 'string',
    name: 'redirect_url',
  })
  redirectUrl?: string;

  @property({
    type: 'array',
    itemType: 'number',
    name: 'user_ids',
  })
  userIds: number[];

  @property({
    type: 'number',
    required: true,
    name: 'access_token_expiration',
  })
  accessTokenExpiration: number;

  @property({
    type: 'number',
    required: true,
    name: 'refresh_token_expiration',
  })
  refreshTokenExpiration: number;

  @property({
    type: 'number',
    required: true,
    name: 'auth_code_expiration',
  })
  authCodeExpiration: number;

  constructor(data?: Partial<AuthClient>) {
    super(data);
  }
}

[samarpan-b]

Ah ! Got it. There has been a major upgrade of soft-delete package here. With that upgrade, you need to add 2 new columns to all tables where you are inheriting from BaseEntity or SoftDeleteEntity class. Columns are deleted_on, deleted_by. Refer to this -> https://github.com/sourcefuse/loopback4-soft-delete/blob/v3.0.0/src/models/soft-delete-entity.ts

Also this changelog -> https://github.com/sourcefuse/loopback4-soft-delete/releases/tag/v3.0.0

[mbnoimi]

There has been a major upgrade of soft-delete package here. With that upgrade, you need to add 2 new columns to all tables

Oops, I'll try to do it manually, but I believe it's time to use LB ORM instead of using db-migrate. Does it?

[mbnoimi]

Do I've to modify the tables and models too?

[samarpan-b]

ORM is loopback-juggler only. I just dont use Loopback migrations as they are not reliable.

Read the warning here -> https://loopback.io/doc/en/lb4/Database-migrations.html

[samarpan-b]

Do I've to modify the tables and models too?

No need to update models. Just the tables in DB.

[mbnoimi]

No need to update models. Just the tables in DB.

Do I've to modify 20190430110622-init-script-up.sql to for the future setups?

[mbnoimi]

BTW, I opened a feature request loopbackio/loopback-next#7119 for adding templates in LB

[samarpan-b]

No need to update models. Just the tables in DB.

Do I've to modify 20190430110622-init-script-up.sql to for the future setups?

Yeah. If you can raise a PR for this, it will be a great help. Or, you can generate a new migration script adding these columns using alter script. Raise a PR, I can review and merge.

[samarpan-b]

BTW, I opened a feature request strongloop/loopback-next#7119 for adding templates in LB

Great to hear. I'll upvote it.

[mbnoimi]

/auth/login works fine while /auth/token doesn't!

/auth/login

{
  "client_id": "webapp",
  "client_secret": "saqw21!@",
  "username": "super_admin",
  "password": "test123!@#"
}

Response:

{
  "code": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRJZCI6IndlYmFwcCIsInVzZXJJZCI6MSwiaWF0IjoxNjE0NDI0MjQ2LCJleHAiOjE2MTQ0MjQ0MjYsImF1ZCI6IndlYmFwcCIsImlzcyI6ImxiX2FwaSIsInN1YiI6InN1cGVyX2FkbWluIn0.KnEHLa5BZIga6TyogUEm8S4BqYgJGlyi2XiC4Bl8Pqk"
}

/auth/token

{
  "code": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRJZCI6IndlYmFwcCIsInVzZXJJZCI6MSwiaWF0IjoxNjE0NDI0MjQ2LCJleHAiOjE2MTQ0MjQ0MjYsImF1ZCI6IndlYmFwcCIsImlzcyI6ImxiX2FwaSIsInN1YiI6InN1cGVyX2FkbWluIn0.KnEHLa5BZIga6TyogUEm8S4BqYgJGlyi2XiC4Bl8Pqk",
  "clientId": "webapp",
  "username": "super_admin"
}

Response:

{
  "error": {
    "statusCode": 401,
    "name": "UnauthorizedError",
    "message": "Invalid Credentials"
  }
}

[samarpan-b]

Logs ? Can you debug inside the login.controller.ts ?

[mbnoimi]

Logs ? Can you debug inside the login.controller.ts ?

I don't know how to debug (I'm still a newbie in LB) but the terminal doesn't show any error, so I tried to enable logging depending on LB instructions, but I get this error:

$ npm install --save @loopback/logging
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: @loopback/[email protected]
npm ERR! node_modules/@loopback/rest
npm ERR!   @loopback/rest@"^7.0.1" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer @loopback/rest@"^9.1.3" from @loopback/[email protected]
npm ERR! node_modules/@loopback/logging
npm ERR!   @loopback/logging@"^0.4.1" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.

[samarpan-b]

I'll check it then. Basically you debug using vs code

[mbnoimi]

I run DEBUG=*login*,*token* npm start but I got nothing heheh

[kevinjasti]

@samarpan-b Looks like it has something to do with #2639
Unable to fetch role via userTenants in the createJWT function

[samarpan-b]

@mbnoimi @kevinjasti can u guys check with the latest now ?

[akshatdubeysf]

@mbnoimi @kevinjasti can you confirm if it is okay to close this issue?

[samarpan-b]

Closing it for now.

[rlyttle]

I had this error after cloning latest repo and updating dependencies - the soft delete package required the following to be added to most if not all existing tables in the SQL files

deleted_on           timestamptz DEFAULT CURRENT_TIMESTAMP NOT NULL ,
deleted_by           integer ,

I don't understand the internals enough to do a PR, just putting this up here for anyone who encounters the issue.

[samarpan-b]

Thanks @rlyttle . Thats a new breaking change in soft delete package. Refer this - sourcefuse/loopback4-soft-delete#14

[rlyttle]

@samarpan-b thanks. Is there not a need to re-open this bug and issue a PR with updated SQL files?

[samarpan-b]

I think it was optional. If not, then yes. Can you raise a new issue to evaluate and put a fix to it @rlyttle ?