Authentication / Authorization: loopback-supertokens extension

[adrienrn]

Hello everyone,

I have been working on a Loopback-based project (closed source) where I went through a couple of phases for the authentication/authorization. I finally landed on using Supertokens. Seeing how things evolved, I realized I could open source the extension that emerged from the many iterations and that was living in my codebase. So here it is:

loopback-supertokens
npm | github

I'm interested in feedbacks about it if people are willing to give it a try!

NB: I'm not affiliated to SuperTokens in any way

Supertokens is relatively new. It has gained my interest because of: clever architecture choices, open-source, self-hosted/managed deployment, seemless initial setup/good get started documentation (including Loopback snippets), etc. So yeah, my own code morphed into a more flexible extension.

What does it do?

README is pretty details of what it does:

It integrates SuperTokens with Loopback:

• Use @authenticate('supertokens') for protected endpoints;
• Use @authorize for role-based access control (RBAC);
• Use webhooks to tap into user flows and extend your application;

It is built in a loosely coupled fashion (as much as possible) and does not impose any User entity choices (that's the webhook part). There's still a few kinks to iron out but it will get there eventually!

Rationale behind the extension

I didn't jump on SuperTokens right away.

Started with pre-existing extensions and examples and had to move on because overall, I was missing some features of fully-fledged authentication (phone sign in, passwordless, email verification, session management) and some internal implementation choices were a bit limiting (@loopback/authentication-jwt User model was one of them).

I initially reflected on building an extension that would implement all of those and provide a little bit more flexibility (relying heavily on TS generics and dependency injection). Rolling your own secure and reliable authentication system from scratch is a complex and error-prone process that requires a lot of expertise in security, encryption, and web development, hardly ever a good idea.

[phairow]

This is exactly what I was looking for. I'm new to supertokens so it may require some extra learning on my part.