Custom policy permissions with cookie bearer authorization

System Information
  • Strapi Version:
  • Operating System:
  • Database:
  • Node Version:
  • NPM Version:
  • Yarn Version:

Trying to create custom user authentication with cookies. When a user sends a login request a cookie with the bearer is returned, but when trying to make requests with that cookie the user is still unauthenticated.

Right now I have a user-permissions.js located at src/extensions/user-permissions/policies:

"use strict";

const { castArray, map } = require("lodash/fp");
const { ForbiddenError, UnauthorizedError } = require("@strapi/utils").errors;

const getService = (name) => {
  return strapi.plugin("users-permissions").service(name);
};

const getAdvancedSettings = () => {
  return strapi
    .store({ type: "plugin", name: "users-permissions" })
    .get({ key: "advanced" });
};

const authenticate = async (ctx) => {
  console.log("á");
  try {
    const token = await getService("jwt").getToken(ctx);

    if (token) {
      const { id } = token;

      if (id === undefined) {
        return { authenticated: false };
      }

      // fetch authenticated user
      const user = await getService("user").fetchAuthenticatedUser(id);

      if (!user) {
        return { error: "Invalid credentials" };
      }

      const advancedSettings = await getAdvancedSettings();

      if (advancedSettings.email_confirmation && !user.confirmed) {
        return { error: "Invalid credentials" };
      }

      if (user.blocked) {
        return { error: "Invalid credentials" };
      }

      ctx.state.user = user;

      return {
        authenticated: true,
        credentials: user,
      };
    }

    const publicPermissions = await strapi
      .query("plugin::users-permissions.permission")
      .findMany({
        where: {
          role: { type: "public" },
        },
      });

    if (publicPermissions.length === 0) {
      return { authenticated: false };
    }

    return {
      authenticated: true,
      credentials: null,
    };
  } catch (err) {
    return { authenticated: false };
  }
};

const verify = async (auth, config) => {
  console.log("b");
  const { credentials: user } = auth;

  if (!config.scope) {
    if (!user) {
      // A non authenticated user cannot access routes that do not have a scope
      throw new UnauthorizedError();
    } else {
      // An authenticated user can access non scoped routes
      return;
    }
  }

  let allowedActions = auth.allowedActions;

  if (!allowedActions) {
    const permissions = await strapi
      .query("plugin::users-permissions.permission")
      .findMany({
        where: { role: user ? user.role.id : { type: "public" } },
      });

    allowedActions = map("action", permissions);
    auth.allowedActions = allowedActions;
  }

  const isAllowed = castArray(config.scope).every((scope) =>
    allowedActions.includes(scope)
  );

  if (!isAllowed) {
    throw new ForbiddenError();
  }
};

module.exports = {
  name: "users-permissions",
  authenticate,
  verify,
};

I also have a strapi-server.js located at src/extensions/user-permissions:

"use strict";

const { callback, register } = require("./controllers/auth");
const permissions = require("./policies/users-permissions");

module.exports = (plugin) => {
  plugin.controllers.auth.callback = callback;
  plugin.controllers.auth.register = register;

  plugin.policies["permissions"] = permissions;

  return plugin;
};

the user-permissions don’t get used though, resulting in the default action. How do I setup the strapi-server so that the user-permissions get used for every request?