hapi auth bearer token
[Release Notes] @hapi/hapi, joi, and @hapi/boom are all now peer dependencies to allow maximum flexibility. A reference to joi is now required as opposed to the older @hapi/joi.
For hapi 17.x and above used in combination with the new joi v17.x package. Requires Node 12 or greater.
Note: For hapi v17 and above implementations using @hapi/joi, it is recommended to use Version 6.x.x of this module.
Note: For hapi versions below v17, you must use versions v5.x.x of this module.
Lead Maintainer: John Brett
Bearer authentication requires validating a token passed in by bearer authorization header or query parameter.
This module creates a 'bearer-access-token'
scheme takes the following options:
validate
- (required) a token validation function with the signature[async] function(request, token, h)
where:request
- is the hapi request object of the request which is being authenticated.token
- the auth token received from the client.h
- the response toolkit.- Returns an object
{ isValid, credentials, artifacts }
where:isValid
-true
if token is valid, otherwisefalse
.credentials
- a credentials object passed back to the application inrequest.auth.credentials
. Note that due to underlying Hapi expectations, this value must be defined even ifisValid
isfalse
. We recommend it be set to{}
ifisValid
isfalse
and you have no other value to provide.artifacts
- optional authentication related data that is not part of the user's credential.
options
- (optional)-
accessTokenName
(Default:'access_token'
) - Rename token key e.g. 'new_name' would rename the token query parameter to/route1?new_name=1234
. -
allowQueryToken
(Default:false
) - Accept token via query parameter. -
allowCookieToken
(Default:false
) - Accept token via cookie. -
allowMultipleHeaders
(Default:false
) - Accept multiple authorization headers, e.g.Authorization: FD AF6C74D1-BBB2-4171-8EE3-7BE9356EB018; Bearer 12345678
. -
tokenType
(Default:'Bearer'
) - Accept a custom token type e.g.Authorization: Basic 12345678
. -
allowChaining
(Default:false
) - Allow attempt of additional authentication strategies. -
unauthorized
(Default:Boom.unauthorized
) - A function to call when unauthorized with signaturefunction([message], [scheme], [attributes])
. More detailsIf using a custom
unauthorized
function, it is recommended you read hapi's documentation on authentication schemes, especially in the case of using multiple strategies: Authentication scheme.
-
const Hapi = ;const AuthBearer = ; const server = Hapi; const start = async { await server serverauth; serverauth; server; await serverstart; return server;} /* * To test this example, from your terminal try: * curl localhost:8080 * response: {"statusCode":401,"error":"Unauthorized","message":"Missing authentication"} * curl localhost:8080?access_token=abc * response: {"statusCode":401,"error":"Unauthorized","message":"Bad token","attributes":{"error":"Bad token"}} * curl curl localhost:8080?access_token=1234 * response: {"info":"success!"} */
License MIT @ John Brett and other contributors 2018