hapi-authorization 4 only supports hapi 17+ for hapi 16 please use hapi-authorization 3

ACL support for hapijs apps

You can use this plugin to add ACL and protect your routes. you can configure required roles and allow access to certain endpoints only to specific users.

Support

Hapi >= 6 < 8 - Use version 1.x

- Use version Hapi >= 8 < 10 - Use version 2.x

- Use version Hapi >= 10 - Use version 3.x

- Use version Hapi >= 17 - Use version 4.x

Usage

Note: To use hapi-authorization you must have an authentication strategy defined.

There are 2 ways to use hapi-authorization:

With the default roles which are: "SUPER_ADMIN", "ADMIN", "USER", "GUEST" By defining your own roles

Using hapi-authorization with default roles

Include the plugin in your hapijs app. Example:

let plugins = [ { plugin : require ( 'hapi-auth-basic' ) }, { plugin : require ( 'hapi-authorization' ) options : { roles : false } } ]; await server.register(plugins);

Using hapi-authorization with custom roles

Include the plugin in your hapijs app. Example:

let plugins = [ { plugin : require ( 'hapi-auth-basic' ) }, { plugin : require ( 'hapi-authorization' ), options : { roles : [ 'OWNER' , 'MANAGER' , 'EMPLOYEE' ] } } ]; await server.register(plugins);

Whitelist Routes That Require Authorization

If you want no routes require authorization except for the ones you specify in the route config, add hapiAuthorization instructions with the role(s) that should have access to the route configuration.

Example:

Authorize a single role

server.route({ method : 'GET' , path : '/' , options : { plugins : { 'hapiAuthorization' : { role : 'ADMIN' }}, handler : ( request, h ) => { return "Great!" ; } }});

Authorize multiple roles

server.route({ method : 'GET' , path : '/' , options : { plugins : { 'hapiAuthorization' : { roles : [ 'USER' , 'ADMIN' ]}}, handler : ( request, h ) => { return "Great!" ; } }});

Blacklist All Routes To Require Authorization

If you want all routes to require authorization except for the ones you specify that should not, add hapiAuthorization instructions with the role(s) that should have access to the server.connection options. Note that these can be overridden on each route individually as well.

Example:

let server = new Hapi.server({ routes : { plugins : { hapiAuthorization : { roles : [ 'ADMIN' ] } } } });

Override the authorization to require alternate roles

server.route({ method : 'GET' , path : '/' , options : { plugins : { 'hapiAuthorization' : { role : 'USER' }}, handler : ( request, h ) => { return "Great!" ;} }});

Override the authorization to not require any authorization

server.route({ method : 'GET' , path : '/' , options : { plugins : { 'hapiAuthorization' : false }, handler : ( request, h ) => { return "Great!" ; } }});

Note: Every route that uses hapiAuthorization must be protected by an authentication schema either via auth.strategy.default('someAuthStrategy') or by specifying the auth on the route itself.

Full Example using hapi-auth-basic and hapi-authorization

const Hapi = require ( 'hapi' ); const modules = require ( './modules' ); let server = new Hapi.Server(); let plugins = [ { register : require ( 'hapi-auth-basic' ) }, { register : require ( 'hapi-authorization' ), options : { roles : [ 'OWNER' , 'MANAGER' , 'EMPLOYEE' ] } } ]; let validate = ( username, password ) => { return { username : username, role : 'EMPLOYEE' }; } await server.register(plugins); server.start().then( () => { server.auth.strategy( 'simple' , 'basic' , { validateFunc : validate}); server.auth.default( 'simple' ); for ( let route in modules) { server.route(modules[route]); } server.start() .then( () => { console .log( 'Hapi server started @' , server.info.uri); }) .catch( ( err ) => { console .log(err); }); }) .catch( ( err ) => { throw err; });

Gotchas

Auth before routes

You must define your auth strategy before defining your routes, otherwise the route validation will fail.

Plugin Config

roles - Array|false : All the possible roles. Defaults to SUPER_ADMIN , ADMIN , USER , GUEST . Can be set to false if no hierarchy is being used. by setting to false you do not need to know all the potential roles

- : All the possible roles. Defaults to , , , . Can be set to if no hierarchy is being used. by setting to you do not need to know all the potential roles hierarchy - Boolean : An option to turn on or off hierarchy. Defaults to false

- : An option to turn on or off hierarchy. Defaults to roleHierarchy - Array : The role hierarchy. Roles with a lower index in the array have access to all roles with a higher index in the array. With the default roles, this means that USER has access to all roles restricted to GUEST , ADMIN has access to all roles restricted to USER and GUEST , and SUPER_ADMIN has access to all roles restricted to ADMIN , USER , and GUEST .

Route config of supported parameters: