hapi auth bearer token
Release Notes @hapi/hapi, joi, and @hapi/boom are all now peer dependencies to allow maximum flexibility. A reference to joi is now required as opposed to the older @hapi/joi.
For hapi 17.x and above used in combination with the new joi v17.x package. Requires Node 12 or greater.
Note: For hapi v17 and above implementations using @hapi/joi, it is recommended to use Version 6.x.x of this module.
Note: For hapi versions below v17, you must use versions v5.x.x of this module.
Lead Maintainer: John Brett
Bearer authentication requires validating a token passed in by bearer authorization header or query parameter.
This module creates a
'bearer-access-token'
scheme takes the following options:validate
- (required) a token validation function with the signature[async] function(request, token, h)
where:
- `request` - is the hapi request object of the request which is being authenticated.
- `token` - the auth token received from the client.
- `h` - the response toolkit.
- Returns an object `{ isValid, credentials, artifacts }` where:
- `isValid` - `true` if token is valid, otherwise `false`.
- `credentials` - a credentials object passed back to the application in `request.auth.credentials`. Note that due to underlying Hapi expectations, this value must be defined even if `isValid` is `false`. We recommend it be set to `{}` if `isValid` is `false` and you have no other value to provide.
- `artifacts` - optional [authentication](http://hapijs.com/tutorials/auth) related data that is not part of the user's credential.
options
- (optional)
- `accessTokenName` (Default: `'access_token'`) - Rename token key e.g. 'new_name' would rename the token query parameter to `/route1?new_name=1234`.
- `allowQueryToken` (Default: `false`) - Accept token via query parameter.
- `allowCookieToken` (Default: `false`) - Accept token via cookie.
- `allowMultipleHeaders` (Default: `false`) - Accept multiple authorization headers, e.g. `Authorization: FD AF6C74D1-BBB2-4171-8EE3-7BE9356EB018; Bearer 12345678`.
- `tokenType` (Default: `'Bearer'`) - Accept a custom token type e.g. `Authorization: Basic 12345678`.
- `allowChaining` (Default: `false`) - Allow attempt of additional authentication strategies.
- `unauthorized` (Default: `Boom.unauthorized`) - A function to call when unauthorized with signature `function([message], [scheme], [attributes])`. [More details](https://github.com/hapijs/boom#boomunauthorizedmessage-scheme-attributes)
If using a custom `unauthorized` function, it is recommended you read hapi's documentation on authentication schemes, especially in the case of using multiple strategies: [Authentication scheme](https://hapijs.com/api#authentication-scheme).
const Hapi = require('hapi');
const AuthBearer = require('hapi-auth-bearer-token');
const server = Hapi.server({ port: 8080 });
const start = async () => {
await server.register(AuthBearer)
server.auth.strategy('simple', 'bearer-access-token', {
allowQueryToken: true, // optional, false by default
validate: async (request, token, h) => {
// here is where you validate your token
// comparing with token from your database for example
const isValid = token === '1234';
const credentials = { token };
const artifacts = { test: 'info' };
return { isValid, credentials, artifacts };
}
});
server.auth.default('simple');
server.route({
method: 'GET',
path: '/',
handler: async function (request, h) {
return { info: 'success!' };
}
});
await server.start();
return server;
}
start()
.then((server) => console.log(`Server listening on ${server.info.uri}`))
.catch(err => {
console.error(err);
process.exit(1);
})
/*
* To test this example, from your terminal try:
* curl localhost:8080
* response: {"statusCode":401,"error":"Unauthorized","message":"Missing authentication"}
* curl localhost:8080?access_token=abc
* response: {"statusCode":401,"error":"Unauthorized","message":"Bad token","attributes":{"error":"Bad token"}}
* curl curl localhost:8080?access_token=1234
* response: {"info":"success!"}
*/
License MIT @ John Brett and other contributors 2018