UNPKG

hapi-auth-bearer-token

Version:

Simple Bearer authentication scheme plugin for hapi, accepts token by Header, Cookie or Query parameter.

github.com/johnbrett/hapi-auth-bearer-token

johnbrett/hapi-auth-bearer-token

103 lines (74 loc) 4.63 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
### hapi auth bearer token [![Build Status](https://travis-ci.org/johnbrett/hapi-auth-bearer-token.svg?branch=master)](https://travis-ci.org/johnbrett/hapi-auth-bearer-token) [Release Notes] @hapi/hapi, joi, and @hapi/boom are all now peer dependencies to allow maximum flexibility. A reference to joi is now required as opposed to the older @hapi/joi. For hapi 17.x and above used in combination with the new joi v17.x package. Requires Node 12 or greater. **Note:** For hapi v17 and above implementations using @hapi/joi, it is recommended to use **Version 6.x.x** of this module. **Note:** For hapi versions below v17, you must use versions v5.x.x of this module. Lead Maintainer: [John Brett](https://github.com/johnbrett) Bearer authentication requires validating a token passed in by bearer authorization header or query parameter. This module creates a `'bearer-access-token'` scheme takes the following options: - `validate` - (required) a token validation function with the signature `[async] function(request, token, h)` where: - `request` - is the hapi request object of the request which is being authenticated. - `token` - the auth token received from the client. - `h` - the response toolkit. - Returns an object `{ isValid, credentials, artifacts }` where: - `isValid` - `true` if token is valid, otherwise `false`. - `credentials` - a credentials object passed back to the application in `request.auth.credentials`. Note that due to underlying Hapi expectations, this value must be defined even if `isValid` is `false`. We recommend it be set to `{}` if `isValid` is `false` and you have no other value to provide. - `artifacts` - optional [authentication](http://hapijs.com/tutorials/auth) related data that is not part of the user's credential. - `options` - (optional) - `accessTokenName` (Default: `'access_token'`) - Rename token key e.g. 'new_name' would rename the token query parameter to `/route1?new_name=1234`. - `allowQueryToken` (Default: `false`) - Accept token via query parameter. - `allowCookieToken` (Default: `false`) - Accept token via cookie. - `allowMultipleHeaders` (Default: `false`) - Accept multiple authorization headers, e.g. `Authorization: FD AF6C74D1-BBB2-4171-8EE3-7BE9356EB018; Bearer 12345678`. - `tokenType` (Default: `'Bearer'`) - Accept a custom token type e.g. `Authorization: Basic 12345678`. - `allowChaining` (Default: `false`) - Allow attempt of additional authentication strategies. - `unauthorized` (Default: `Boom.unauthorized`) - A function to call when unauthorized with signature `function([message], [scheme], [attributes])`. [More details](https://github.com/hapijs/boom#boomunauthorizedmessage-scheme-attributes) If using a custom `unauthorized` function, it is recommended you read hapi's documentation on authentication schemes, especially in the case of using multiple strategies: [Authentication scheme](https://hapijs.com/api#authentication-scheme). ```javascript const Hapi = require('hapi'); const AuthBearer = require('hapi-auth-bearer-token'); const server = Hapi.server({ port: 8080 }); const start = async () => { await server.register(AuthBearer) server.auth.strategy('simple', 'bearer-access-token', { allowQueryToken: true, // optional, false by default validate: async (request, token, h) => { // here is where you validate your token // comparing with token from your database for example const isValid = token === '1234'; const credentials = { token }; const artifacts = { test: 'info' }; return { isValid, credentials, artifacts }; } }); server.auth.default('simple'); server.route({ method: 'GET', path: '/', handler: async function (request, h) { return { info: 'success!' }; } }); await server.start(); return server; } start() .then((server) => console.log(`Server listening on ${server.info.uri}`)) .catch(err => { console.error(err); process.exit(1); }) /* * To test this example, from your terminal try: * curl localhost:8080 * response: {"statusCode":401,"error":"Unauthorized","message":"Missing authentication"} * curl localhost:8080?access_token=abc * response: {"statusCode":401,"error":"Unauthorized","message":"Bad token","attributes":{"error":"Bad token"}} * curl curl localhost:8080?access_token=1234 * response: {"info":"success!"} */ ``` License MIT @ John Brett and other contributors 2018