Warn on misconfigured access token user

[bajtos]

Description

Verify User and AccessToken relations at startup Modify app.enableAuth() to verify that (custom) User and AccessToken models have correctly configured their hasMany/belongsTo relations and print a warning otherwise.

As I was fixing the tests reporting this new warning, I discovered few other issues that I needed to fix first - see the first three commits abf8246, c45954c and f0c9700.

The warning and the tests are fixed by the last commit f0d6416.

I think we should wait with merging this pull request until there is a doc page written where we explain users how to fix this problem, so that we can add URL of this doc page to the new warnings.

cc @ebarault @greaterweb

Related issues

• Problems extending User model with loopback v3.3.0 #3215

Checklist

• New tests added or existing tests modified to cover all changes
• Code conforms with the style
  guide

[raymondfeng]

I think it should be fine to use lodash as it's one-time charge.

[bajtos]

We are trying to avoid using lodash in our runtime code in order to keep the size of browserified bundle small (see #989). lodash contributes about 350kb unminified and increases the bundle size by approx 20% - see loopbackio/loopback-datasource-juggler#538.

[raymondfeng]

Good work! I like the defensive approach.

[greaterweb]

Nice work on this, @bajtos!

I've tested this branch in the sample repo I was working with for #3215. I do get the warning for 2 different scenarios I tried:

• custom Account model extending the User model
• custom user model extending the User model

In both cases the User model is not included in the model-config.json file.

The unusual thing though is in my other personal project I've been testing against, I don't get the warning message when using the same warn-on-misconfigured-accessToken-user branch. The project is consistent with the second scenario above, a custom user model is used. I don't configure any relationships with the AccessToken model so it's a little confusing why it's not triggering the warning message.

What I suspect is somewhere in my customization of my user model Loopback is being fooled into thinking my model is the same as the User model. This is consistent with the fact all of my access control related tests are passing even though a relationship with AccessToken is not configured. I'll investigate this further and report back.

[bajtos]

@raymondfeng @superkhau @alshamiri1 thank you for the review!

@greaterweb

What I suspect is somewhere in my customization of my user model Loopback is being fooled into thinking my model is the same as the User model. This is consistent with the fact all of my access control related tests are passing even though a relationship with AccessToken is not configured. I'll investigate this further and report back.

AFAIK, we don't have any code in LoopBack that is depending on AccessToken belongsTo User relation (after #3227 was landed). I would be surprised if your access control tests were failing because of this missing relation, as long as you are not relying on this relation in your test code by calling accessToken.user(function(err, u) {...}).

The unusual thing though is in my other personal project I've been testing against, I don't get the warning message when using the same warn-on-misconfigured-accessToken-user branch.

That's suspicious, I agree.

[bajtos]

@crandmck I setup http://ibm.biz/setup-loopback-auth shortcut to point to http://loopback.io/doc/en/lb3/Authentication-authorization-and-permissions.html#preparing-access-control-models. If/when you move the setup instructions to a different page, then we need to change the target url of the shortcut http://ibm.biz/setup-loopback-auth points to.