sarge

hapi.js plugin to make authorization on routes easy

npm install sarge
2 downloads in the last week
23 downloads in the last month

Sarge (aka Drill Sergeant)

Install

npm install sarge

Usage

This example shows adding basic role checking to the hapi basic auth example.

var Hapi = require('hapi');
var Bcrypt = require('bcrypt');

var server = new Hapi.Server('localhost', 3000);

var users = {
    john: {
        username: 'john',
        password: '$2a$10$iqJSHD.BGr0E2IxQwYgJmeP3NvhPrXAeLSaGCj6IR/XU5QtjVu5Tm',   // 'secret'
        name: 'John Doe',
        id: '2133d32a',
        role: 'admin'
    },
    jane: {
        username: 'jane',
        password: '$2a$10$iqJSHD.BGr0E2IxQwYgJmeP3NvhPrXAeLSaGCj6IR/XU5QtjVu5Tm',   // 'secret'
        name: 'Jane Doe',
        id: '2132bbb',
        role: 'user'
    },
};


var sarge_config = {
    // request is the full request object
    // config is the plugin.sarge config attached to the route
    handler: function (request, config, next) {
        var user = users[request.auth.credentials.username];
        if (user.role !== config.role) {
            next(Hapi.error.unauthorized("Not authorized"));
        }
        next();
    }
}


var validate = function (username, password, callback) {

    var user = users[username];
    if (!user) {
        return callback(null, false);
    }

    Bcrypt.compare(password, user.password, function (err, isValid) {
        callback(err, isValid, { id: user.id, name: user.name, username: user.username });
    });
};

server.auth('simple', {
    scheme: 'basic',
    validateFunc: validate
});

var handler = function () {
    this.reply('hapi hapi hapi hapi hapi');
};

server.route({
    method: 'GET',
    path: '/',
    handler: handler,
    config: {
        auth: 'simple',
        plugins: {
            sarge: {
                role: 'admin' // This can be any data you want your handler to consume
            }
        }
    }
});

server.pack.require('sarge', sarge_config, function () {});

server.start(function () {
    console.log("Server Started " + server.info.uri);
});

The first point to notice is that you need to add your authorization criteria to the route via

config: {
    plugins: {
        sarge: {
            // Whatever data you want to put here
        }
    }
}

The entire config.plugins.sarge object is passed into the authorization handler as the second argument; config.

The second point is that you need to create a handler to do your authorization logic and pass that into the plugin when it's required. This handler takes in 3 arguments. request, config, next.

npm loves you