hapi-auth-jwt2
Advanced tools
The simplest authentication scheme/plugin for Hapi.js apps using JSON Web Tokens.
This node.js module (Hapi plugin) lets you use JSON Web Tokens (JWTs) for authentication in your Hapi.js web application.
If you are totally new to JWTs, we wrote an introductory post explaining
the concepts & benefits: https://github.com/docdis/learn-json-web-tokens
If you (or anyone on your team) are unfamiliar with Hapi.js we have a
quick guide for that too: https://github.com/nelsonic/learn-hapi
We have tried to make this plugin a user (developer) friendly as possible,
but if anything is unclear,
please submit any questions as issues on GitHub:
https://github.com/dwyl/hapi-auth-jwt2/issues
npm install hapi-auth-jwt2 --save
This basic usage example should get started:
var Hapi = require('hapi');
var people = { // our "users database"
1: {
id: 1,
name: 'Jen Jones'
}
};
// bring your own validation function
var validate = function (decoded, request, callback) {
// do your checks to see if the person is valid
if (!people[decoded.id]) {
return callback(null, false);
}
else {
return callback(null, true);
}
};
var server = new Hapi.Server();
server.connection({ port: 8000 });
// include our module here ↓↓
server.register(require('hapi-auth-jwt2'), function (err) {
if(err){
console.log(err);
}
server.auth.strategy('jwt', 'jwt', true,
{ key: 'NeverShareYourSecret', // Never Share your secret key
validateFunc: validate // validate function defined above
});
server.route([
{
method: "GET", path: "/", config: { auth: false },
handler: function(request, reply) {
reply({text: 'Token not required'});
}
},
{
method: 'GET', path: '/restricted', config: { auth: 'jwt' },
handler: function(request, reply) {
reply({text: 'You used a Token!'})
.header("Authorization", request.headers.authorization);
}
}
]);
});
server.start();
Run the server with: node example/server.js
Now use curl to access the two routes:
curl -v http://localhost:8000/
Try to access the /restricted content without supplying a Token (expect to see a 401 error):
curl -v http://localhost:8000/restricted
Now access the url using the following format:
curl -H "Authorization: <TOKEN>" http://localhost:8000/restricted
A here's a valid token you can use (copy-paste this command):
curl -v -H "Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6IkFudGhvbnkgVmFsaWQgVXNlciIsImlhdCI6MTQyNTQ3MzUzNX0.KA68l60mjiC8EXaC2odnjFwdIDxE__iDu5RwLdN1F2A" \
http://localhost:8000/restricted
That's it.
Write your own validateFunc with what ever checks you want to perform
on the decoded token before allowing the visitor to proceed.
If you would like to see a "real world example" of this plugin in use in a production web app (API) please see: https://github.com/dwyl/time/tree/master/api/lib
If you have any questions on this please post an issue/question on GitHub:
https://github.com/dwyl/hapi-auth-jwt2/issues
(we are here to help get you started on your journey to hapiness!)
Redis is perfect for storing session data that needs to be checked on every authenticated request.
If you are unfamiliar with Redis or anyone on your team needs a refresher, please checkout: https://github.com/docdis/learn-redis
The code is in: example/real_world_example_using_redis_on_heroku.js (snappy name, right?) and corresponding tests in test/real_world_example.js feel free to inspect, use, or ask additional questions if unclear.
Having a more real-world example was seconded by @manonthemat see: hapi-auth-jwt2/issues/9
validateFunc - (required) a the function which is run once the Token has been decoded
signature function(decoded, request, callback) where:
decoded - (required) is the decoded JWT received from the client in request.headers.authorizationrequest - (required) is the original request received from the clientcallback - (required) a callback function with the signature function(err, isValid, credentials) where:
err - an internal error.valid - true if the JWT was valid, otherwise false.credentials - (optional) alternative credentials to be set instead of decoded.While registering the hapi-auth-jwt2 plugin you can define the following verifyOptions:
ignoreExpiration - ignore expired tokensaudience - do not enforce token audienceissuer - do not require the issuer to be validexample:
server.auth.strategy('jwt', 'jwt', true,
{ key: 'NeverShareYourSecret', // Never Share your secret key
validateFunc: validate, // validate function defined above
verifyOptions: { ignoreExpiration: true } // do not reject expired tokens
});
Read more about this at: jsonwebtoken verify options
If you prefer not to use any of these verifyOptions simply do not set them when registering the plugin with your app; they are all optional.
This feature was requested in: issues/29
npm install jsonwebtoken --save if you want to sign JWTs in your app.var JWT = require('./node_modules/hapi-auth-jwt2/node_modules/jsonwebtoken');If you have a question, please post an issue/question on GitHub: https://github.com/dwyl/hapi-auth-jwt2/issues
If you spot an area for improvement, please raise an issue: https://github.com/dwyl/hapi-auth-jwt2/issues Someone on the dwyl team is always online so
The "real world example" expects to have two environment variables: JWT_SECRET and REDISCLOUD_URL.
export JWT_SECRET='ItsNoSecretBecauseYouToldEverybody'
export REDISCLOUD_URL='redis://rediscloud:OhEJjWvSgna@pub-redis-1046.eu-west-1-2.1.ec2.garantiadata.com:10689'
Ask @nelsonic for a valid Dev Redis url (we cannot publish the real one on GitHub...)
While making Time we want to ensure
our app (and API) is as simple as possible to use.
This lead us to using JSON Web Tokens for Stateless Authentication.
We did a extensive research
into existing modules that might solve our problem; there are many on NPM:
but they were invariably too complicated, poorly documented and had useless (non-real-world) "examples"!
Also, none of the existing modules exposed the request object to the validateFunc which we thought might be handy.
So we decided to write our own module addressing all these issues.
Don't take our word for it, do your own homework and decide which module you prefer.
"perfection is attained not when there is nothing more to add,
but when there is nothing more to remove" ~ Antoine de Saint-Exupéry
The name we wanted was taken.
Think of our module as the "new, simplified and actively maintained version"
For more background on JWT see our post: https://github.com/docdis/learn-json-web-tokens
We borrowed code from the following:
FAQs
Hapi.js Authentication Plugin/Scheme using JSON Web Tokens (JWT)
The npm package hapi-auth-jwt2 receives a total of 31,145 weekly downloads. As such, hapi-auth-jwt2 popularity was classified as popular.
We found that hapi-auth-jwt2 demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Bybit's $1.46B hack by North Korea's Lazarus Group pushes 2025 crypto losses to $1.6B in just two months, already surpassing all of 2024's $1.49B total.
Security News
OpenSSF has published OSPS Baseline, an initiative designed to establish a minimum set of security-related best practices for open source software projects.
Security News
Michigan TypeScript founder Dimitri Mitropoulos implements WebAssembly runtime in TypeScript types, enabling Doom to run after processing 177 terabytes of type definitions.