I have implemented passport-local strategy and passport-bearer strategy.

When user logins with username/password credentials, I generate JSON Web Token which returns to requester. On each request I get access_token from query, decode this token from JWT to object and make bearer authorization implemented in /api/policies. And all auth works fine.

But when I provide this access_token to RESTful route i.e. user I got empty array.

The problem, that Sails accepts access_token as criteria.

Example:

GET /user ## Forbidden GET /user?access_token=<token> ## Empty array

How can I disable or fix it?

You would probably be better off sending your access token in a header than in the URL. But if what your asking is how to blacklist a certain property from being used as criteria in a blueprint route, it can be done in the following way in your config/routes.js file:

"GET /user": {blueprint: "find", criteria: {blacklist: ["access_token"]}}

This will override the default blacklist, so you may want to include those defaults in your custom array:

"GET /user": {
  blueprint: "find", 
  criteria: {
      blacklist: ["access_token", "limit", "skip", "sort", "populate"]
  }
}