I am creating an API in NodeJS using IBM's Loopback (3.x) framework. Loopback seems to handle classic authentication methods (vs database). In my case, we are using a proxied authentication header (from a 3rd party software) with the username and other data from the verified user.
Is it possible to configure Loopback to "trust" requests that contain a specific header with the user information?
You can configure loopback to "trust" anything it wants with dynamic roles.
Role.registerResolver('somebodyitrust', function(role, context, cb) {
const iTrustYou = true;
return cb(null, iTrustYou);
});
But you're going to have to verify that the information is correct, and so you're probably going to have to use a database and access tokens, and so you're back to square one. Unless you're using openauth.
If you do go ahead trying to authorize by fields in the header you'll need to get the request context, which means you'll have to configure loopback-context.