From 6f347072fc6ac19fc3646d6bb8fa81aa9e8b7492 Mon Sep 17 00:00:00 2001 From: Sunny Tyagi Date: Fri, 5 Dec 2025 15:38:01 +0530 Subject: [PATCH 1/7] docs(authentication-service): update readme of auth update readme of auth gh-0 --- services/authentication-service/README.md | 87 +++++++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/services/authentication-service/README.md b/services/authentication-service/README.md index e9812c0db8..e412691494 100644 --- a/services/authentication-service/README.md +++ b/services/authentication-service/README.md @@ -141,6 +141,20 @@ npm i @sourceloop/authentication-service - It works for almost all authentication methods provided by this service. - Use `/verify-otp` to enter otp or code from authenticator app. for using Google Authenticator user needs to pass client id in the payload which is optional in case for OTP +- **Oauth- using Cognito** - + - Make sure you have your cognito setup over aws. You can take reference from [here](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html). + - add the below envs- + + COGNITO_AUTH_CALLBACK_URL= \ + COGNITO_AUTH_CLIENT_DOMAIN=\ + COGNITO_AUTH_CLIENT_ID=\ + COGNITO_AUTH_CLIENT_SECRET=\ + COGNITO_AUTH_REGION= + + COGNITO_AUTH_CALLBACK_URL refers to the API endpoint /auth/cognito-auth-redirect provided by authentication service + - we are using the loopback4-authentication package inside the backend service. we have setup the User, AuthClient UserCredential Models and the api /auth/cognito and /auth/cognito-auth-redirect via authentication service. You only need to bind the providers as stated in [loopback4-authentication](https://github.com/sourcefuse/loopback4-authentication) + - on redirecting back to the application with the code generated by the call back api , application can use that code to sent to /auth/token api to get the token for your application. + - **OAuth- using Azure AD** - @@ -528,6 +542,8 @@ sequenceDiagram Here is a sample Implementation `DataSource` implementation using environment variables and PostgreSQL as the data source. The `auth-multitenant-example` utilizes both Redis and PostgreSQL as data sources. +run - ```npm install loopback-connector-postgresql --save``` + ```typescript import {inject, lifeCycleObserver, LifeCycleObserver} from '@loopback/core'; import {juggler} from '@loopback/repository'; @@ -562,6 +578,77 @@ export class AuthenticationDbDataSource } } ``` +redis datasource - +run - ```npm install loopback-connector-kv-redis --save``` +```typescript +for redis, datasource example is as below +import {inject, lifeCycleObserver, LifeCycleObserver} from '@loopback/core'; +import {AnyObject, juggler} from '@loopback/repository'; +import {readFileSync} from 'fs'; +import {AuthCacheSourceName} from '@sourceloop/authentication-service'; + +const config = { + name: process.env.REDIS_NAME, + connector: 'kv-redis', + host: process.env.REDIS_HOST, + port: process.env.REDIS_PORT, + password: process.env.REDIS_PASSWORD, + db: process.env.REDIS_DATABASE, + url: process.env.REDIS_URL, + tls: + +process.env.REDIS_TLS_ENABLED! || + (process.env.REDIS_TLS_CERT + ? { + ca: readFileSync(process.env.REDIS_TLS_CERT), + } + : undefined), + sentinels: + +process.env.REDIS_HAS_SENTINELS! && process.env.REDIS_SENTINELS + ? JSON.parse(process.env.REDIS_SENTINELS) + : undefined, + sentinelPassword: + +process.env.REDIS_HAS_SENTINELS! && process.env.REDIS_SENTINEL_PASSWORD + ? process.env.REDIS_SENTINEL_PASSWORD + : undefined, + role: + +process.env.REDIS_HAS_SENTINELS! && process.env.REDIS_SENTINEL_ROLE + ? process.env.REDIS_SENTINEL_ROLE + : undefined, +}; + +// Observe application's life cycle to disconnect the datasource when +// application is stopped. This allows the application to be shut down +// gracefully. The `stop()` method is inherited from `juggler.DataSource`. +// Learn more at https://loopback.io/doc/en/lb4/Life-cycle.html +@lifeCycleObserver('datasource') +export class RedisDataSource + extends juggler.DataSource + implements LifeCycleObserver +{ + static readonly dataSourceName = AuthCacheSourceName; + static readonly defaultConfig = config; + + constructor( + @inject(`datasources.config.${process.env.REDIS_NAME}`, {optional: true}) + dsConfig: AnyObject = config, + ) { + if ( + +process.env.REDIS_HAS_SENTINELS! && + !!process.env.REDIS_SENTINEL_HOST && + !!process.env.REDIS_SENTINEL_PORT + ) { + dsConfig.sentinels = [ + { + host: process.env.REDIS_SENTINEL_HOST, + port: +process.env.REDIS_SENTINEL_PORT, + }, + ]; + } + super(dsConfig); + } +} +``` + ### Migrations From 42e18725dbf7038b2148d29fb0272266a461dec7 Mon Sep 17 00:00:00 2001 From: Sunny Tyagi Date: Fri, 5 Dec 2025 15:39:35 +0530 Subject: [PATCH 2/7] feat(authentication-service): empty space to check push empty space to check push gh-0 --- services/authentication-service/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/services/authentication-service/README.md b/services/authentication-service/README.md index e412691494..cb92a0253f 100644 --- a/services/authentication-service/README.md +++ b/services/authentication-service/README.md @@ -141,6 +141,7 @@ npm i @sourceloop/authentication-service - It works for almost all authentication methods provided by this service. - Use `/verify-otp` to enter otp or code from authenticator app. for using Google Authenticator user needs to pass client id in the payload which is optional in case for OTP + - **Oauth- using Cognito** - - Make sure you have your cognito setup over aws. You can take reference from [here](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html). - add the below envs- From c470c0869e9ebd5d12c715e0e91544a9eae7f57b Mon Sep 17 00:00:00 2001 From: Sunny Tyagi Date: Fri, 5 Dec 2025 16:14:31 +0530 Subject: [PATCH 3/7] docs(authentication-service): update paragraphs update paragraphs gh-0 --- services/authentication-service/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/services/authentication-service/README.md b/services/authentication-service/README.md index cb92a0253f..12257cc57d 100644 --- a/services/authentication-service/README.md +++ b/services/authentication-service/README.md @@ -141,10 +141,10 @@ npm i @sourceloop/authentication-service - It works for almost all authentication methods provided by this service. - Use `/verify-otp` to enter otp or code from authenticator app. for using Google Authenticator user needs to pass client id in the payload which is optional in case for OTP - + - **Oauth- using Cognito** - - - Make sure you have your cognito setup over aws. You can take reference from [here](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html). - - add the below envs- + - Make sure your AWS Cognito setup is properly configured. You can refer to the official documentation [here](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html). + - Add the following environment variables: COGNITO_AUTH_CALLBACK_URL= \ COGNITO_AUTH_CLIENT_DOMAIN=\ @@ -152,9 +152,9 @@ npm i @sourceloop/authentication-service COGNITO_AUTH_CLIENT_SECRET=\ COGNITO_AUTH_REGION= - COGNITO_AUTH_CALLBACK_URL refers to the API endpoint /auth/cognito-auth-redirect provided by authentication service - - we are using the loopback4-authentication package inside the backend service. we have setup the User, AuthClient UserCredential Models and the api /auth/cognito and /auth/cognito-auth-redirect via authentication service. You only need to bind the providers as stated in [loopback4-authentication](https://github.com/sourcefuse/loopback4-authentication) - - on redirecting back to the application with the code generated by the call back api , application can use that code to sent to /auth/token api to get the token for your application. + COGNITO_AUTH_CALLBACK_URL should point to the /auth/cognito-auth-redirect endpoint provided by the authentication service. + - We are using the loopback4-authentication package in the backend service. The User, AuthClient, and UserCredential models, along with the /auth/cognito and /auth/cognito-auth-redirect APIs, have been set up in the authentication service. You only need to bind the required providers as described in the [loopback4-authentication](https://github.com/sourcefuse/loopback4-authentication) + - When the application is redirected back with the authorization code generated by the callback API, the application can send this code to the /auth/token endpoint to obtain the access token for your application. - **OAuth- using Azure AD** - From 9af2fe68454c51825a3b369dce5083551d386a71 Mon Sep 17 00:00:00 2001 From: Sunny Tyagi Date: Sat, 6 Dec 2025 23:33:29 +0530 Subject: [PATCH 4/7] docs(authentication-service): update few points update few points gh-0 --- services/authentication-service/README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/services/authentication-service/README.md b/services/authentication-service/README.md index 12257cc57d..79d7fa1060 100644 --- a/services/authentication-service/README.md +++ b/services/authentication-service/README.md @@ -155,7 +155,21 @@ npm i @sourceloop/authentication-service COGNITO_AUTH_CALLBACK_URL should point to the /auth/cognito-auth-redirect endpoint provided by the authentication service. - We are using the loopback4-authentication package in the backend service. The User, AuthClient, and UserCredential models, along with the /auth/cognito and /auth/cognito-auth-redirect APIs, have been set up in the authentication service. You only need to bind the required providers as described in the [loopback4-authentication](https://github.com/sourcefuse/loopback4-authentication) - When the application is redirected back with the authorization code generated by the callback API, the application can send this code to the /auth/token endpoint to obtain the access token for your application. - + - Create an auth_client entry in your database using the query below: + + ```typescript + INSERT INTO auth_clients (client_id, client_secret, secret) + VALUES ('temp_client', 'temp_secret', 'secret'); + ``` + Use the client_id and client_secret to invoke the auth/cognito API from the frontend. + - Additionally, configure the redirect_url for this auth client to point to the frontend URL where you want the user to be redirected after successful authorization from Cognito. The user will be redirected to this URL with a code query parameter, which can then be exchanged for a token using the /auth/token endpoint. + - The OAuth endpoints are meant to be accessed from a web browser, not from API testing tools. The API explorer shows you + the endpoint structure, but you must test OAuth flows through: + - Your frontend application + - A real browser session + - Tools specifically designed for OAuth testing (like Postman with proper OAuth 2.0 support) + + Kindly create a Dummy web App to hit and manage the apis. - **OAuth- using Azure AD** - From 9e779f02b8a7c39a14dc74a4ce5a9a8e12d8028d Mon Sep 17 00:00:00 2001 From: Sunny Tyagi Date: Mon, 8 Dec 2025 10:38:01 +0530 Subject: [PATCH 5/7] docs(authentication-service): add docs in readme add docs in readme gh-o --- services/authentication-service/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/services/authentication-service/README.md b/services/authentication-service/README.md index 79d7fa1060..7883ca5f59 100644 --- a/services/authentication-service/README.md +++ b/services/authentication-service/README.md @@ -153,6 +153,7 @@ npm i @sourceloop/authentication-service COGNITO_AUTH_REGION= COGNITO_AUTH_CALLBACK_URL should point to the /auth/cognito-auth-redirect endpoint provided by the authentication service. + - Add NODE_TLS_REJECT_UNAUTHORIZED=0 in environment to disables TLS/SSL certificate validation in Node.js. for ***Development only***. - We are using the loopback4-authentication package in the backend service. The User, AuthClient, and UserCredential models, along with the /auth/cognito and /auth/cognito-auth-redirect APIs, have been set up in the authentication service. You only need to bind the required providers as described in the [loopback4-authentication](https://github.com/sourcefuse/loopback4-authentication) - When the application is redirected back with the authorization code generated by the callback API, the application can send this code to the /auth/token endpoint to obtain the access token for your application. - Create an auth_client entry in your database using the query below: From bc9633854bcb001b8898dc7daac6fe3d1d14f276 Mon Sep 17 00:00:00 2001 From: Sunny Tyagi Date: Mon, 8 Dec 2025 11:05:12 +0530 Subject: [PATCH 6/7] docs(authentication-service): add first user sql add first user sql gh-0 --- services/authentication-service/README.md | 45 +++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/services/authentication-service/README.md b/services/authentication-service/README.md index 7883ca5f59..1fb01cced2 100644 --- a/services/authentication-service/README.md +++ b/services/authentication-service/README.md @@ -679,6 +679,51 @@ NOTE : For [`@sourceloop/cli`](https://www.npmjs.com/package/@sourceloop/cli?act ![Auth DB Schema](https://user-images.githubusercontent.com/77672713/126612271-3ce065aa-9f87-45d4-bf9a-c5cc8ad21764.jpg) +- You can use below sql to create first user. Kindly update the name of each field accordingly + + ``` + -- Set schema + SET search_path TO main, public; + -- Auth Client + INSERT INTO auth_clients (client_id, client_secret, secret) + VALUES ('temp_client', 'temp_secret', 'secret'); + -- Tenant + INSERT INTO tenants (name, status, key) + VALUES ('Master Tenant', 1, 't1'); + -- Role + INSERT INTO roles (name, permissions, allowed_clients, role_type, tenant_id) + SELECT 'SuperAdmin', '{*}', '{temp_client}', 0, id + FROM tenants + WHERE key = 't1'; + + -- User + INSERT INTO users (first_name, last_name, username, email, default_tenant_id) + SELECT 'John', 'Doe', 'john.doe@example.com', 'john.doe@example.com', id + FROM tenants + WHERE key = 't1'; + + -- Assign User to Tenant with Role + INSERT INTO user_tenants (user_id, tenant_id, status, role_id) + SELECT + (SELECT id FROM users WHERE username = 'john.doe@example.com'), + (SELECT id FROM tenants WHERE key = 't1'), + 1, + (SELECT id FROM roles WHERE role_type = 0 AND tenant_id = (SELECT id FROM tenants WHERE key = 't1') LIMIT 1); + + -- User Credentials (bcrypt hashed password) + INSERT INTO user_credentials (user_id, auth_provider, password) + SELECT id, 'internal', '$2b$12$mNyM260paivMGoA0gThnkuYpBZ5V0yJHausASJtHINpMeUd9BJkwi' + FROM users + WHERE username = 'john.doe@example.com'; + + -- Update User with Auth Client + UPDATE users + SET auth_client_ids = ARRAY[ + (SELECT id FROM auth_clients WHERE client_id = 'temp_client')::integer + ] + WHERE username = 'john.doe@example.com'; + ``` + descrypted password is test123!@#, we stored it after encryption. ### Providers You can find documentation for some of the providers available in this service [here](./src/providers/README.md) From ccd33978dcee890895a1465bdb1d2249e4454ca6 Mon Sep 17 00:00:00 2001 From: Sunny Tyagi Date: Mon, 8 Dec 2025 11:08:41 +0530 Subject: [PATCH 7/7] docs(authentication-service): add docs add docs gh-0 --- services/authentication-service/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/authentication-service/README.md b/services/authentication-service/README.md index 1fb01cced2..23daf94d71 100644 --- a/services/authentication-service/README.md +++ b/services/authentication-service/README.md @@ -679,7 +679,7 @@ NOTE : For [`@sourceloop/cli`](https://www.npmjs.com/package/@sourceloop/cli?act ![Auth DB Schema](https://user-images.githubusercontent.com/77672713/126612271-3ce065aa-9f87-45d4-bf9a-c5cc8ad21764.jpg) -- You can use below sql to create first user. Kindly update the name of each field accordingly +- You can use below sql to create first user. Kindly update the value of any field if required as per application requirement. ``` -- Set schema