npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

hapi-authorization

v4.0.0

Published

ACL support for hapijs apps

Downloads

9,459

Readme

hapi-authorization

hapi-authorization 4 only supports hapi 17+ for hapi 16 please use hapi-authorization 3

ACL support for hapijs apps

npm version Build Status Coverage Status Dev Dependencies

You can use this plugin to add ACL and protect your routes. you can configure required roles and allow access to certain endpoints only to specific users.

Support

  • Hapi >= 6 < 8 - Use version 1.x
  • Hapi >= 8 < 10 - Use version 2.x
  • Hapi >= 10 - Use version 3.x
  • Hapi >= 17 - Use version 4.x

Usage

Note: To use hapi-authorization you must have an authentication strategy defined.

There are 2 ways to use hapi-authorization:

  1. With the default roles which are: "SUPER_ADMIN", "ADMIN", "USER", "GUEST"
  2. By defining your own roles

Using hapi-authorization with default roles

  1. Include the plugin in your hapijs app. Example:
let plugins = [
	{
		plugin: require('hapi-auth-basic')
	},
	{
		plugin: require('hapi-authorization')
		options: {
		  roles: false	// By setting to false, you are not using an authorization hierarchy and you do not need to specify all the potential roles here
		}
	}
];

await server.register(plugins);

Using hapi-authorization with custom roles

  1. Include the plugin in your hapijs app. Example:
let plugins = [
	{
		plugin: require('hapi-auth-basic')
	},
	{
		plugin: require('hapi-authorization'),
		options: {
			roles: ['OWNER', 'MANAGER', 'EMPLOYEE']	// Can also reference a function which returns an array of roles
		}
	}
];

await server.register(plugins);

Whitelist Routes That Require Authorization

If you want no routes require authorization except for the ones you specify in the route config, add hapiAuthorization instructions with the role(s) that should have access to the route configuration.

Example:

Authorize a single role

server.route({ method: 'GET', path: '/', options: {
  plugins: {'hapiAuthorization': {role: 'ADMIN'}},	// Only ADMIN role
  handler: (request, h) => { return "Great!"; }
}});

Authorize multiple roles

server.route({ method: 'GET', path: '/', options: {
  plugins: {'hapiAuthorization': {roles: ['USER', 'ADMIN']}},
  handler: (request, h) => { return "Great!"; }
}});

Blacklist All Routes To Require Authorization

If you want all routes to require authorization except for the ones you specify that should not, add hapiAuthorization instructions with the role(s) that should have access to the server.connection options. Note that these can be overridden on each route individually as well.

Example:

let server = new Hapi.server({
	routes: {
		plugins: {
			hapiAuthorization: { roles: ['ADMIN'] }
		}
	}
});

Override the authorization to require alternate roles

server.route({ method: 'GET', path: '/', options: {
  plugins: {'hapiAuthorization': {role: 'USER'}},	// Only USER role
  handler: (request, h) => { return "Great!" ;}
}});

Override the authorization to not require any authorization

server.route({ method: 'GET', path: '/', options: {
  plugins: {'hapiAuthorization': false},
  handler: (request, h) => { return "Great!"; }
}});

Note: Every route that uses hapiAuthorization must be protected by an authentication schema either via auth.strategy.default('someAuthStrategy') or by specifying the auth on the route itself.

Full Example using hapi-auth-basic and hapi-authorization

const Hapi = require('hapi');
const modules = require('./modules');

// Instantiate the server
let server = new Hapi.Server();

/**
 * The hapijs plugins that we want to use and their configs
 */
let plugins = [
	{
		register: require('hapi-auth-basic')
	},
	{
		register: require('hapi-authorization'),
		options: {
			roles: ['OWNER', 'MANAGER', 'EMPLOYEE']
		}
	}
];

let validate = (username, password) => {
	// Perform authentication and respond with object that contains a role or an array of roles
	return {username: username, role: 'EMPLOYEE'};
}

/**
 * Setup the server with plugins
 */
await server.register(plugins);
server.start().then(() => {

	server.auth.strategy('simple', 'basic', {validateFunc: validate});
	server.auth.default('simple');

	/**
	 * Add all the modules within the modules folder
	 */
	for(let route in modules) {
		server.route(modules[route]);
	}

	/**
	 * Starts the server
	 */
	server.start()
        .then(() => {
            console.log('Hapi server started @', server.info.uri);
        })
        .catch((err) => {
            console.log(err);
        });
})
.catch((err) => {
  // If there is an error on server startup
  throw err;
});

Gotchas

Auth before routes

You must define your auth strategy before defining your routes, otherwise the route validation will fail.

Plugin Config

  • roles - Array|false: All the possible roles. Defaults to SUPER_ADMIN, ADMIN, USER, GUEST. Can be set to false if no hierarchy is being used. by setting to false you do not need to know all the potential roles
  • hierarchy - Boolean: An option to turn on or off hierarchy. Defaults to false
  • roleHierarchy - Array: The role hierarchy. Roles with a lower index in the array have access to all roles with a higher index in the array. With the default roles, this means that USER has access to all roles restricted to GUEST, ADMIN has access to all roles restricted to USER and GUEST, and SUPER_ADMIN has access to all roles restricted to ADMIN, USER, and GUEST.

Route config of supported parameters:

  • role - String: enforces that only users that have this role can access the route
  • roles - Array: enforces that only users that have these roles can access the route
  • aclQuery - Function: fetches an entity using the provided query, it allows the plugin to verify that the authenticated user has permissions to access this entity. the function signature should be function(parameter, request).
  • aclQueryParam - String: The parameter key that will be used to fetch the entity. default: 'id'
  • paramSource - String: The source of the acl parameter, allowed values: payload, params, query.
  • validateEntityAcl - Boolean: Should the plugin validate if the user has access to the entity. if true, validateAclMethod is required.
  • validateAclMethod - String: A function name. the plugin will invoke this method on the provided entity and will use it to verify that the user has permissions to access this entity. function signature is function(user, role);