hapi-field-auth

hapi-field-auth

Hapi plugin for field-level authorization.

Install

npm install hapi-field-auth

Purpose

This plugin provides field-level authorization (not authentication) for Hapi routes -- particularly for PATCH routes. If the request payload has fields with special constraints in respect to the scope of the authenticated user, this plugin allows to restrict access on field-level.

A prerequisite is authentication -- use any authentication plugin, e.g., hapi-auth-basic. It is expected that authentication sets request.route.auth.credentials.scope to the request object.

Dynamic scopes referring to the request object (query, params, payload, and credentials) are supported, e.g., user-{params.id}. Prefix characters ! and + are not (yet) supported.

Usage

Register the plugin with Hapi server like this:

const Hapi = require('hapi');
const hapiAuthBasic = require('hapi-auth-basic');
const hapiFieldAuth = require('hapi-field-auth');

const server = new Hapi.Server({
  port: 3000,
});

const provision = async () => {
  await server.register([hapiAuthBasic, hapiFieldAuth]);
  // ...
  await server.start();
};

provision();

Your route configuration may look like this:

server.route({
  method: 'PATCH',
  path: '/example',
  options: {
    auth: {
      access: {
        scope: ['write', 'write.extended'], // allow both scopes
      },
    },
    validate: {
      payload: ExampleSchema, // Joi schema validation -> HTTP 400
    },
    plugins: {
      'hapi-field-auth': [{ // field-level authorization -> HTTP 403
        fields: ['myProtectedField'], // request payload properties
        scope: ['write.extended'], // restrict to scope
      }],
    },
  },
  handler: function (request, h) {
    // ...
  }
});

Options

This plugin does not have any options.