Sails disable criteria for REST in GET

Question

I have implemented passport-local strategy and passport-bearer strategy.

When user logins with username/password credentials, I generate JSON Web Token which returns to requester. On each request I get access_token from query, decode this token from JWT to object and make bearer authorization implemented in /api/policies. And all auth works fine.

But when I provide this access_token to RESTful route i.e. user I got empty array.

The problem, that Sails accepts access_token as criteria.

Example:

GET /user ## Forbidden GET /user?access_token=<token> ## Empty array

How can I disable or fix it?

Can we see your controller code that ````GET /user```` maps to? — kk415kk, Sep 11 '14 at 23:52

score 3 · Accepted Answer · answered Sep 12 '14 at 00:23

3

You would probably be better off sending your access token in a header than in the URL. But if what your asking is how to blacklist a certain property from being used as criteria in a blueprint route, it can be done in the following way in your config/routes.js file:

"GET /user": {blueprint: "find", criteria: {blacklist: ["access_token"]}}

This will override the default blacklist, so you may want to include those defaults in your custom array:

"GET /user": {
  blueprint: "find", 
  criteria: {
      blacklist: ["access_token", "limit", "skip", "sort", "populate"]
  }
}

answered Sep 12 '14 at 00:23

sgress454

24,870
4
74
92

Nice explanation, thanks. I don't think about headers, seems that this can resolve problem. And returns to second question. So what if I want to set blacklist property to all routes? I need set all routes like above, or can somehow do it in other way in single line of code? – Eugene Obrezkov Sep 12 '14 at 06:36
2

You could set `req.options.criteria.blacklist` in a [policy](http://sailsjs.org/#/documentation/concepts/Policies) and apply it to all controller actions... – sgress454 Sep 24 '14 at 22:07

Sails disable criteria for REST in GET

1 Answers1

Linked