Security News
Django Joins curl in Pushing Back on AI Slop Security Reports
Django has updated its security policies to reject AI-generated vulnerability reports that include fabricated or unverifiable content.
By Sarah Gooding - Jun 30, 2025
🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more →
hapi-auth-jwt2
Advanced tools
Hapi Auth with JSON Web Tokens (JWT)
The simplest authentication scheme/plugin for Hapi.js apps using JSON Web Tokens.
Usage
Install from NPM
npm install hapi-auth-jwt2 --save
Example
basic usage example to get started:
var Hapi = require('hapi');
var JWT = require('jsonwebtoken'); // used to sign our content
var port = process.env.PORT || 8000; // allow port to be set
var secret = 'NeverShareYourSecret'; // Never Share!
var people = { // our "users databse"
1: {
id: 1,
name: 'Anthony Valid User'
}
};
// use the token as the 'authorization' header in requests
var token = JWT.sign(people[1], secret); // synchronous
// bring your own validation function
var validate = function (decoded, callback) {
console.log(decoded);
// do your checks to see if the person is valid
if (!people[decoded.id]) {
return callback(null, false);
}
else {
return callback(null, true);
}
};
var server = new Hapi.Server();
server.connection({ port: port });
// include our module here ↓↓
server.register(require('hapi-auth-jwt2'), function (err) {
if(err){
console.log(err);
}
// see: http://hapijs.com/api#serverauthschemename-scheme
server.auth.strategy('jwt', 'jwt', true,
{ key: secret, validateFunc: validate });
server.route([
{
method: "GET", path: "/", config: { auth: false },
handler: function(request, reply) {
reply({text: 'Token not required'});
}
},
{
method: 'GET', path: '/restricted', config: { auth: 'jwt' },
handler: function(request, reply) {
reply({text: 'You used a Token!'})
.header("Authorization", request.headers.authorization);
}
}
]);
});
server.start();
Run the server with: node example/server.js
Now use curl to access the two routes:
No Token Required
curl -v http://localhost:8000/
Token Required
Try to access the /restricted content without supplying a Token (expect to see a 401 error):
curl -v http://localhost:8000/restricted
Now access the url using the following format:
curl -H "Authorization: <TOKEN>" http://localhost:8000/restricted
A here's a valid token you can use (copy-paste this command):
curl -v -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6IkFudGhvbnkgVmFsaWQgVXNlciIsImlhdCI6MTQyNTQ3MzUzNX0.KA68l60mjiC8EXaC2odnjFwdIDxE__iDu5RwLdN1F2A" \
http://localhost:8000/restricted
That's it.
Write your own validateFunc with what ever checks you want to perform
on the decoded token before allowing the visitor to proceed.
Documentation
validateFunc- (required) a the function which is run once the Token has been decoded signaturefunction(decoded, callback)where:decoded- is the decoded JWT received from the client in request.headers.authorizationcallback- (required) a callback function with the signaturefunction(err, isValid)where:err- an internal error.valid-trueif the JWT was valid, otherwisefalse.
Motivation
While making Time we want to ensure
our app (and API) is as simple as possible to use.
This lead us to using JSON Web Tokens for Stateless Authentication.
We did a extensive research
into existing modules that might solve our problem; there are many on NPM:
but they were invariably too complicated, poorly documented and
had useless (non-real-world) "examples"!
So we decided to write our own addressing all these issues.
Don't take our word for it, do your own homework and decide which module you prefer.
Guiding Principal
"* perfection is attained not when there is nothing more to add,
but when there is nothing more to remove * " ~ Antoine de Saint-Exupéry
Why hapi-auth-jwt2 ?
The name we wanted was taken. Think of our module as the "new and simplified version"
Useful Links
For more background on JWT see our post: https://github.com/docdis/learn-json-web-tokens
Hapi.js Auth
We borrowed code from the following:
FAQs
Hapi.js Authentication Plugin/Scheme using JSON Web Tokens (JWT)
The npm package hapi-auth-jwt2 receives a total of 31,887 weekly downloads. As such, hapi-auth-jwt2 popularity was classified as popular.
We found that hapi-auth-jwt2 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Package last updated on 06 Mar 2015
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
ECMAScript 2025 Finalized with Iterator Helpers, Set Methods, RegExp.escape, and More
ECMAScript 2025 introduces Iterator Helpers, Set methods, JSON modules, and more in its latest spec update approved by Ecma in June 2025.
By Sarah Gooding - Jun 26, 2025
Security News
Node.js Homepage Adds Paid Support Link, Prompting Contributor Pushback
A new Node.js homepage button linking to paid support for EOL versions has sparked a heated discussion among contributors and the wider community.
By Sarah Gooding - Jun 25, 2025