Overwrite the default strategies/users-permissions behavior

System Information
  • Strapi Version: 4.2.3
  • Operating System: MacOS 12.4
  • Database: PG
  • Node Version: v16.14.2
  • NPM Version: 8.15.0
  • Yarn Version: 1.22.19

Hello Everyone, I am new to the Strapi4. My question is I want to add some customized auth logic. My init requirement is similar to the doc here, but this doc is for Strapi 3 (out of date).

My requirement is that check an another header (x-authed-by-gateway), if that header exsiting, then will return a ‘autheticated’ user for this request. If not, we will still use the existing users-permissions plugin provided the functionality to do auth.

I have checked the source code of users-permission plugin, I found the best place to implement my feature is to overwrite the plugin-users-permissions/server/strategies/users-permissions.js But I can’t find a way to easily overwrite or extend the strategies.

const authenticate = async ctx => {
  try {

    // Add my auth logic here

    const token = await getService('jwt').getToken(ctx);

    if (token) {
      const { id } = token;

      if (id === undefined) {
        return { authenticated: false };

In the /src/extensions/users-permissions/strapi-server.js I can easily overwrite the service, controller, routes and etc. But can’t find how to overwrite strategies.

Is there anyone have the same requirement?

Hello @CrisLi and welcome to the Strapi Forums :wave:
I would suggest use middleware or a policy to deal with what you are checking.
The middleware and the policy has access to the request, so then you can say, if it exists allow the request if not don’t.

So overwriting the files you are doing I don’t think is nessary

one point is I still want to reused the user-permssion-plugin. for some requests, no my header exist, UPP should perform the auth.

If I added my middleware before the UPP, I need to attached a user to ctx to simulate request has been authed, is that right?