I have created a new project in Loopback Node.js I'm concerned with the API being public. As when I will deploy the project on server then the URL containing the API's will be accessible easily. Hence I wanted to restrict anyone to use the API's and it should be used from Android devices which has my front-end app. I do not understand the User model that is already created since there isn't any specific file for this model, so I am creating my own userauth model, but again the same concern that it will be accessed by everyone when deployed on the main server.
Regarding API endpoints getting public, I would suggest either of the following (I use 2nd one):
1) Using ACLs to restrict usage to specific end points Use can specifiy the acls in the model classes individually which you want to restrict access to.
If you want to implement a common acl to every model then I would suggest you inherit the Persisted Model i.e create MyBaseModel with base as "PersistedModel". Then in all your models use base model as "MyBaseModel"
2) Using a middleware which checks if request is made from android app
In your android app set some header for every request to your server such as
httpConnection.setRequestProperty("MyCustomProperty", "ThisIsFromAndroidApp");
Then in your Loopback server's boot scripts create a middleware which checks for this:
module.exports = function(app){
app.use(function(req, res, next){
if(req.headers["MyCustomProperty"] === 'ThisIsFromAndroidApp'){
return next();
}
res.json({err: "Unauthorised access to api endpoint"});
});
}
Now for the built in User model:
You can find this their User model in node_modules\loopback\common\models\user.js
Loopback authentication uses a mix of functions from access_token.js (AccessToken model) and user.js (User Model). You can find both these models in
node_modules\loopback\common\models\