How to use the @loopback/rest.HttpErrors.Forbidden function in @loopback/rest
To help you get started, we’ve selected a few @loopback/rest examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
sourcefuse / loopback4-starter / src / sequence.ts View on Github 
const {request, response} = context;
const route = this.findRoute(request);
const args = await this.parseParams(request, route);
request.body = args[args.length - 1];
await this.authenticateRequestClient(request);
const authUser: AuthUser = await this.authenticateRequest(
request,
response,
);
const isAccessAllowed: boolean = await this.checkAuthorisation(
authUser && authUser.permissions,
request,
);
if (!isAccessAllowed) {
throw new HttpErrors.Forbidden(AuthorizeErrorKeys.NotAllowedAccess);
}
const result = await this.invoke(route, args);
this.send(response, result);
} catch (err) {
this.reject(context, err);
}
}
}async updateById(
id: ID,
data: DataObject,
options?: Options,
): Promise {
const currentUser = await this.getCurrentUser();
if (!currentUser) {
throw new HttpErrors.Forbidden(AuthErrorKeys.InvalidCredentials);
}
data.modifiedBy = currentUser.id;
return super.updateById(id, data, options);
}
async replaceById(async createAll(entities: DataObject[], options?: Options): Promise {
const currentUser = await this.getCurrentUser();
if (!currentUser) {
throw new HttpErrors.Forbidden(AuthErrorKeys.InvalidCredentials);
}
entities.forEach(entity => {
entity.createdBy = currentUser ? currentUser.id : 0;
entity.modifiedBy = currentUser ? currentUser.id : 0;
});
return super.createAll(entities, options);
}async create(entity: DataObject, options?: Options): Promise {
const currentUser = await this.getCurrentUser();
if (!currentUser) {
throw new HttpErrors.Forbidden(AuthErrorKeys.InvalidCredentials);
}
entity.createdBy = currentUser.id;
entity.modifiedBy = currentUser.id;
return super.create(entity, options);
}async save(entity: T, options?: Options): Promise {
const currentUser = await this.getCurrentUser();
if (!currentUser) {
throw new HttpErrors.Forbidden(AuthErrorKeys.InvalidCredentials);
}
entity.modifiedBy = currentUser.id;
return super.save(entity, options);
}async update(entity: T, options?: Options): Promise {
const currentUser = await this.getCurrentUser();
if (!currentUser) {
throw new HttpErrors.Forbidden(AuthErrorKeys.InvalidCredentials);
}
entity.modifiedBy = currentUser.id;
return super.update(entity, options);
}async replaceById(
id: ID,
data: DataObject,
options?: Options,
): Promise {
const currentUser = await this.getCurrentUser();
if (!currentUser) {
throw new HttpErrors.Forbidden(AuthErrorKeys.InvalidCredentials);
}
data.modifiedBy = currentUser.id;
return super.replaceById(id, data, options);
}
}async intercept(
invocationCtx: InvocationContext,
next: () => ValueOrPromise,
) {
if (!this.metadata) return await next();
const result = await next();
const requiredPermissions = this.metadata.options as RequiredPermissions;
const user = await this.getCurrentUser();
if(!this.checkPermissons(user.permissions, requiredPermissions)){
throw new HttpErrors.Forbidden('INVALID_ACCESS_PERMISSION');
}
return result;
}
}async create(
@param.query.string('admin_code') admin_code: string,
@requestBody() character: Character,
): Promise {
if(admin_code != '901029'){
throw new HttpErrors.Forbidden('WRONG_ADMIN_CODE');
}
character.permissions = [PermissionKey.ViewOwnUser,
PermissionKey.CreateUser,
PermissionKey.UpdateOwnUser,
PermissionKey.DeleteOwnUser,
PermissionKey.UpdateAnyUser,
PermissionKey.ViewAnyUser,
PermissionKey.DeleteAnyUser];
if (await this.characterRepository.exists(character.email)){
throw new HttpErrors.BadRequest(`This email already exists`);
}
else {
const savedCharacter = await this.characterRepository.create(character);
delete savedCharacter.password;
return savedCharacter;async verifyPassword(username: string, password: string): Promise {
const user = await super.findOne({where: {username}});
const creds = user && (await this.credentials(user.id).get());
if (!user || user.deleted || !creds || !creds.password) {
throw new HttpErrors.Unauthorized(AuthenticateErrorKeys.UserDoesNotExist);
} else if (!(await bcrypt.compare(password, creds.password))) {
throw new HttpErrors.Unauthorized(AuthErrorKeys.InvalidCredentials);
} else if (
await bcrypt.compare(password, process.env.USER_TEMP_PASSWORD!)
) {
throw new HttpErrors.Forbidden(
AuthenticateErrorKeys.TempPasswordLoginDisallowed,
);
}
return user;
}@loopback/rest
Expose controllers as REST endpoints and route REST API requests to controller methods
Package Health Score
89 / 100Popular @loopback/rest functions
- @loopback/rest.api
- @loopback/rest.del
- @loopback/rest.get
- @loopback/rest.getModelSchemaRef
- @loopback/rest.HttpErrors.BadRequest
- @loopback/rest.HttpErrors.Forbidden
- @loopback/rest.HttpErrors.InternalServerError
- @loopback/rest.HttpErrors.NotFound
- @loopback/rest.HttpErrors.Unauthorized
- @loopback/rest.HttpErrors.UnprocessableEntity
- @loopback/rest.operation
- @loopback/rest.patch
- @loopback/rest.post
- @loopback/rest.put
- @loopback/rest.rebaseOpenApiSpec
- @loopback/rest.RestApplication
- @loopback/rest.RestBindings.Http
- @loopback/rest.RestBindings.PORT
- @loopback/rest.RestBindings.SequenceActions
- @loopback/rest.RoutingTable