Loopback 3. Custom roles not working

Question

I have a Client model that inherits the built-in User model. I have created a custom role admin and defined two ACLs using that role for Client model:

{
  "principalType": "ROLE",
  "principalId": "admin",
  "permission": "ALLOW",
  "property": "find"
},
{
  "principalType": "ROLE",
  "principalId": "admin",
  "permission": "ALLOW",
  "property": "findById"
}

I get a 401 when I try to GET /api/Clients

Any thoughts of what could be happening? Any help is greatly appreciated.

Loopback 3.5v, MongoDB

User/Role/Mapping code:

Client.create({
    username: '[email protected]',
    email: '[email protected]',
    password: 'admin123'
}).then(function(user) {
    Role.create({
        name: 'admin'
    }, function(createRoleError, createRole) {
        createRole.principals.create({
            principalType: RoleMapping.USER,
            principalId: user.id
        });
    });
});

MongoDB data:

> db.Client.find()
{ "_id" : ObjectId("58d28f0690c08512b03c9dfc"), "username" : "[email protected]", "password" : "$2a$10$zQrgeFq.pFZNmJOPywE/8uY9PjurwfzyAHbBESgkTccx6pZnFrZR2", "email" : "[email protected]" }

> db.Role.find()
{ "_id" : ObjectId("58d28f0690c08512b03c9dfd"), "name" : "admin", "created" : ISODate("2017-03-22T14:49:42.899Z"), "modified" : ISODate("2017-03-22T14:49:42.899Z") }

> db.RoleMapping.find()
{ "_id" : ObjectId("58d28f0690c08512b03c9dfe"), "principalType" : "USER", "principalId" : "58d28f0690c08512b03c9dfc", "roleId" : ObjectId("58d28f0690c08512b03c9dfd") }

Loopback debug information:

loopback:security:role isInRole(): $everyone +1m
loopback:security:access-context ---AccessContext--- +0ms
loopback:security:access-context principals: +5ms
loopback:security:access-context principal: {"type":"USER","id":"58d28f0690c08512b03c9dfc"} +1ms
loopback:security:access-context modelName Client +0ms
loopback:security:access-context modelId undefined +0ms
loopback:security:access-context property find +1ms
loopback:security:access-context method find +0ms
loopback:security:access-context accessType READ +1ms
loopback:security:access-context accessToken: +0ms
loopback:security:access-context   id "1od20VFnZNqW0i0PblSqpJpxDvpfJEBYeXi9AxM9twj5EqkH4xZ6ET7J9thHT982" +1m

loopback:security:access-context   ttl 1209600 +1ms
loopback:security:access-context getUserId() 58d28f0690c08512b03c9dfc +0ms
loopback:security:access-context isAuthenticated() true +2ms
loopback:security:role Custom resolver found for role $everyone +0ms
loopback:security:role isInRole(): admin +1ms
loopback:security:access-context ---AccessContext--- +2ms
loopback:security:access-context principals: +0ms
loopback:security:access-context principal: {"type":"USER","id":"58d28f0690c08512b03c9dfc"} +2ms
loopback:security:access-context modelName Client +1ms
loopback:security:access-context modelId undefined +1ms
loopback:security:access-context property find +1ms
loopback:security:access-context method find +0ms
loopback:security:access-context accessType READ +1ms
loopback:security:access-context accessToken: +1ms
loopback:security:access-context   id "1od20VFnZNqW0i0PblSqpJpxDvpfJEBYeXi9AxM9twj5EqkH4xZ6ET7J9thHT982" +4m

loopback:security:access-context   ttl 1209600 +2ms
loopback:security:access-context getUserId() 58d28f0690c08512b03c9dfc +2ms
loopback:security:access-context isAuthenticated() true +1ms
loopback:security:role Role found: {"id":"58d28f0690c08512b03c9dfd","name":"admin","created":"2017-03-22T14:
:42.899Z","modified":"2017-03-22T14:49:42.899Z"} +3ms
loopback:security:role Role mapping found: null +22ms
loopback:security:role isInRole() returns: null +2ms
loopback:security:acl The following ACLs were searched:  +2ms
loopback:security:acl ---ACL--- +2ms
loopback:security:acl model Client +1ms
loopback:security:acl property * +1ms
loopback:security:acl principalType ROLE +2ms
loopback:security:acl principalId $everyone +2ms
loopback:security:acl accessType * +1ms
loopback:security:acl permission DENY +2ms
loopback:security:acl with score: +1ms 7495
loopback:security:acl ---Resolved--- +2ms
loopback:security:access-context ---AccessRequest--- +2ms
loopback:security:access-context  model Client +1ms
loopback:security:access-context  property find +1ms
loopback:security:access-context  accessType READ +2ms
loopback:security:access-context  permission DENY +2ms
loopback:security:access-context  isWildcard() false +1ms
loopback:security:access-context  isAllowed() false +3ms

Answer 1

Your rolemapping principalId is inserted as a string rather than a ObjectId, which I think causes the issue. You should enable the strictObjectIDCoercion.

By either having this in a boot script:

app.models.RoleMapping.settings.strictObjectIDCoercion = true;

or add it in server/model-config.json:

{
  "RoleMapping": {
    "dataSource": "db",
    "options": {
      "strictObjectIDCoercion": true
    },
    "public": false
  }
}