hapi-auth-token
Advanced tools
This Hapi plugin provides a token based authentication scheme.
The authentication scheme secures endpoints with token authentication, and exposes hooks to validate
the received tokens & set custom credentials object onto authenticated Hapi requests (which will be
accessible as request.auth.credentials in the route handlers post-authentication).
User authentication and token generation should be handled by the application.
The scheme will automatically extract auth token from Cookie, Header or Query parameter,
making it convenient to use any of those modes for token authentication.
npm install --save hapi-auth-token
OR
yarn add hapi-auth-token
hapi-auth-token to authenticate users against a SQL DB.hapi-auth-token with JWT tokens.Follow these steps to use this plugin in your Hapi application.
import HapiAuthToken from 'hapi-auth-token';
await server.register(HapiAuthToken)
token-auth schemeconst strategyOptions = {
cookie: {
name: '__AUTH', // Auth cookie name
isSecure: false,
},
header: false, // Disable extracting token from the "Authorization" header
query: {
name: 'authToken', // Name of the query parameter to read the auth token from
},
async validateToken(authToken) {
// Verify whether the token is valid, for example, against a list of existing tokens like below
return models.UserToken.isValid(authToken);
},
async buildAuthCredentials(authToken) {
// Identify user based on the token information
// Return a credentials object based on the identified user information
// The object returned from this method will be accessible as `request.auth.credentials` in authenticated handlers
const user = await models.User.byAuthToken(authToken);
return { id: user.id, profile: user.profileId };
},
};
this._server.auth.strategy('token-auth-strategy', 'token-auth', strategyOptions);
The key parameters in configuration of the strategy are the validateToken and buildAuthCredentials functions.
validateToken will be called with the extracted authentication token, and is expected to respond back with a boolean indicating whether the token is valid.buildAuthCredentials will be called if validateToken returns true, and is expected to return a JSON object, which will be set as the auth credentials for the current request.
The object returned by this function will be accessible as request.auth.credentials in the authenticated route handlers.Here's a more elaborate snippet:
import Hapi from 'hapi';
import HapiAuthToken from 'hapi-auth-token';
const server = new Hapi.Server();
async function configureAuth() {
// Register the HapiAuthToken plugin
await server.register(HapiAuthToken);
// Initialize plugin/strategy options
const strategyOptions = {
cookie: {
name: '__AUTH', // Auth cookie name
isSecure: false,
},
header: false, // Disable extracting token from the "Authorization" header
query: {
name: 'authToken', // Name of the query parameter to read the auth token from
},
async validateToken(authToken) {
// Verify whether the token is valid, for example, against a list of existing tokens like below
return models.UserToken.isValid(authToken);
},
async buildAuthCredentials(authToken) {
// Identify user based on the token information
// Return a credentials object based on the identified user information
// The object returned from this method will be accessible as `request.auth.credentials` in authenticated handlers
const user = await models.User.byAuthToken(authToken);
return { id: user.id, profile: user.profileId };
},
};
// Register an authentication strategy based on the HapiAuthToken scheme
this._server.auth.strategy('token-auth-strategy', 'token-auth', strategyOptions);
this._server.auth.default('token-auth-strategy');
}
configureAuth();
The plugin can be configured during plugin registration, and/or during auth strategy registration. Options can be passed during plugin registration like this:
await server.register({plugin: HapiAuthToken, options: {<hapi-auth-token-options>}});
Or during strategy registration like this:
server.auth.strategy('<strategy-name>', 'token-auth', {<hapi-auth-token-options>});
Note that the final set of options would be a combination of these two option sets, and the options provided to the strategy will override plugin level options when there's a conflict.
cookie
false or an object
false will disable reading auth tokens from cookiesname is the name of the auth cookie. Defaults to __TOKEN_AUTHheader
Authorization header should be enabled
true, the plugin will read auth-token from the Authorization: Token <auth-token> headerfalse, Authorization headers are ignored by the plugintruequery
false or an object
false will disable reading auth tokens from query parametersname is the name of the query parameter to read the auth token from. Defaults to the token parameter.{name: 'token'}validateToken
buildAuthCredentials
validateToken returns true.request.auth.credentials in authenticated route handlers.FAQs
Token authentication for Hapi
The npm package hapi-auth-token receives a total of 4 weekly downloads. As such, hapi-auth-token popularity was classified as not popular.
We found that hapi-auth-token demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.