johnbrett / hapi-auth-bearer-token Goto Github PK

In hapi authorization scheme is expected to return authenticate function, however the data stored in payload is then not available to the user. But the scheme can also return payload function which then can be used to use payload data during authorization.

I needed this functionality in one of the projects, therefore I already wrote the necessary code: #18
(however I didn't dig into the plugin structure, so maybe this can be (and should) written in other fashion)

A request with an invalid token results in

{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}

due to the line

            return h.unauthenticated(settings.unauthorized(message, settings.tokenType), { credentials, artifacts });

if is is changed to

            return h.unauthenticated(settings.unauthorized(message), { credentials, artifacts });

the statusCode is 401 as it should be.

In our use case, we are trying to define two auth strategies to be validated one before other. Defining hapi-auth-bearer-token validation as the first one, we have seen that it is possible using the flag allowChaining. If the bearer token received in not a valid token, try the second one before saying that the token is not valid.

server.auth.strategy('simple', 'bearer-access-token', { allowChaining: true, validateFunc });
server.auth.strategy('jwt', 'jwt', jwtValidation);

It we define the strategies in each route, it works as we expected:

{
      method: 'GET',
      options: {
        auth: {
          strategies: ['simple', 'jwt'],
        },
     }
}

But if we try to define the strategies as the default ones, we face an exception:

server.auth.default({ strategies: ['simple', 'jwt'] });

The exception comes from the following line of the scheme definition:

const message = (settings.allowChaining && request.route.settings.auth.strategies.length > 1) ? null : 'Bad token';

strategies is undefined.

Could we add support for default option when we define multiple strategies ?

I think there should be used tokenType in regexp in this line, instead of hardcoded Bearer string
https://github.com/johnbrett/hapi-auth-bearer-token/blob/master/lib/index.js#L49

also will be great if it works without tokentype by specifiing tokenType = ''

would you be willing to entertain access to the request object in the validate function? either by changing the method signature or using call to bind request to this?

the scenario that i'm envisioning grants different access to different paths based on the bearer token.

thanks!

Hi,
I am getting a lot of error stack in log whenever unauthorized attempt is made and I am wondering if there is a way to handle those error or suppress the verbose error log.

So this return callback(null, false); will produce the below

Debug: auth, unauthenticated, error, simple
    Error: Bad token
    at ... /node_modules/hapi-auth-bearer-token/lib/index.js:72:39

artifacts argument is absent in signature of callback parameter of validateFunc in README.md:

callback - a callback function with the signature function(err, isValid, credentials) where:

When this module was created it was just more for allowing token parse by query token than header, but usage and configurability has grown since and should be treated as more secure by default now. As a result, all options for extra areas to parse security tokens should be specifically opt-in so the module is locked down to only header auth by default.

auth: {
strategies: ['admin','user']
},
The problem I met was the first admin to verify, but the second user was invalid.

Hey thanks for this incredible plugin, I was wondering if it was possible to expose the validator logic to the hapi server. I have found useful to extend this module functionality for example with token validation functionality, to move all the token validation away into a plugin. Bell already does that.

What do you think? I can help with that if it is something that makes sense for you.

Hi @johnbrett
can you please clarify if this plugin supports the try or optional modes?
Tried searching in your docs and tests but did not find any reference to either.
Thanks.

Hello,
I have used hapi-auth-bearer-token, it is working, but I want to ask something, is it possible to generate our own error message once authentication failed? instead of returning messages like this
{ "statusCode": 401, "error": "Unauthorized", "message": "Bad token", "attributes": { "error": "Bad token" }
if it is possible how? thanks.

We need to ensure that this plugin works well with brand new Hapi 8.

Version 16.3.0 of hapi just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As hapi is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Version 13.5.0 of joi was just published.

This version is covered by your current version range and after updating it in your project the build failed.

joi is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

Update & bump is badly needed to comport with newest hapi ecosystem. 🔩

Copy & paste the example on the README and run it with node

Hapi v15.1.1

apparently now register truly runs async, so trying to register routes before it finishes to register the auth strategy fails, could you update your example?

Since the query token get's deleted here: https://github.com/johnbrett/hapi-auth-bearer-token/blob/master/lib/index.js#L55 the next strategy looking for it simply can't find it.
Not sure how to fix this but I think the easiest is to delete it only just before a successful auth here https://github.com/johnbrett/hapi-auth-bearer-token/blob/master/lib/index.js#L94

The dependency boom was updated from 7.2.0 to 7.2.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

boom is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

I am trying to use this module to enable bearer token on my app. However, I am getting the error shown in the title.

I have been stuck for days now. Hoping anyone could help me.

I have user.js route

module.exports = [{
    'method' : 'GET',
    'path' : '/v1/users',
    'config' : {
        'handler' : function (request, reply) {
            User.find(function (error, data) {
                if (!error) {
                    reply(data)
                        .code(200)
                }
            });
        },
        'auth' : 'simple'
    }
}];

Now, inside my server.js,

Server.register([{
    'register' : require('hapi-auth-bearer-token')
}, {
    'register' : require('./api')
}], function (error) {
    if (!error) {
        Server.auth.strategy('simple', 'bearer-access-token', {
            'validateFunc' : function (token, callback) {
                if (token === "1234") {
                    callback(null, true, {
                        'token' : token
                    })
                } else {
                    callback(null, false, {
                        'token' : token
                    })
                }
            }
        });

        Server.start(function () {
            console.log('info', 'Server running at ' + Server.info.uri);
        });
    }
});

But I get Error: Unknown authentication strategy: simple in path: /v1/users

Complete error message:

    at Object.exports.assert (/var/nodevagrant/project/Interest/node_modules/hapi/node_modules/hoek/lib/index.js:663:11)
    at /var/nodevagrant/project/Interest/node_modules/hapi/lib/auth.js:139:14
    at Array.forEach (native)
    at internals.Auth._setupRoute (/var/nodevagrant/project/Interest/node_modules/hapi/lib/auth.js:136:24)
    at new module.exports.internals.Route (/var/nodevagrant/project/Interest/node_modules/hapi/lib/route.js:131:47)
    at internals.Connection._addRoute (/var/nodevagrant/project/Interest/node_modules/hapi/lib/connection.js:342:17)
    at internals.Connection._route (/var/nodevagrant/project/Interest/node_modules/hapi/lib/connection.js:334:18)
    at internals.Plugin._apply (/var/nodevagrant/project/Interest/node_modules/hapi/lib/plugin.js:432:14)
    at internals.Plugin.route (/var/nodevagrant/project/Interest/node_modules/hapi/lib/plugin.js:407:10)
    at Object.exports.register (/var/nodevagrant/project/Interest/api/index.js:8:9)

I am new to npm and node. I was following an example in hapi.js in Action and ran into this error. I don't know if it is just because I downloaded the latest Node and NPE and there is a compatibility issue or if there might some mistake in the code.

npm ERR! Linux 4.2.0-27-generic
npm ERR! argv "/usr/bin/nodejs" "/usr/bin/npm" "install" "–-save" "hapi-auth-bearer-token"
npm ERR! node v5.6.0
npm ERR! npm v3.6.0

npm ERR! The header content contains invalid characters

I use this in a hapi v6 project, and I'm looking to upgrade to hapi v7. I don't expect there will be many- if any- breaking changes to this project, but package.json needs to be updated. See the release notes: hapijs/hapi#2023 .

Here's my route:

    syncImage: {
        handler: function(req, reply) {
            server.methods.uploadImage(req, reply);
        },
        payload:{
            maxBytes:209715200,
            output:'stream',
            parse: false
        },
        auth: 'simple',
        cors: {
            origin: ['*'],
            credentials: true,
            matchOrigin: false
        },
        id: 'syncImage'
    },

And in the client:

            var form = document.getElementById("imageForm");
            var formData = new FormData(form);
            var imageInput = document.getElementById("imageInput");
            var file = imageInput.files[0];
            formData.append('file', file);

            var xhr = new XMLHttpRequest();
            if ('withCredentials' in xhr) {
              xhr.open('POST', form.getAttribute('action'), true);
              xhr.setRequestHeader("Authorization", "Bearer 1234");
              xhr.withCredentials = "true";
              xhr.onreadystatechange = function (aEvt) {
                if (xhr.readyState == 4) {
                   if(xhr.status == 200) {
                      if (xhr.responseText === 'isFileOk') {
                        isFileUploaded = true;
                        imagePath = 'http://localhost:3000/uploads/' + file.name;
                        $('#saveOrder').removeAttr('disabled');
                        $('#wrapper').css('display', 'none');  
                      }
                   } else {
                    isFileUploaded = false;
                     alert("Error !");
                   }
                }
              }
              xhr.send(formData);
              return false;
            }

Am I missing something?

Regards

Seeing the amount of PR's from greenkeeper it would make sense to enable the new bot (https://github.com/integration/greenkeeper) which ammends 1 PR per module update
See Salesflare/hapi-csv#11 for example

@johnbrett since you are the owner you'll have to do it ^^

Hello.

I have a pb when i pass a error (boom) in callback of validateFunc

if (error) {
    return callback(error, false, null);
}

trow a error

Debug: hapi, internal, implementation, error
    TypeError: Cannot call method 'code' of undefined
    at /var/myproject/node_modules/hapi-auth-bearer-token/lib/index.js:47:119

and when a console.log reply i can't find code function

{ [Function]
  _root: [Function],
  view: [Function],
  file: [Function],
  proxy: [Function],
  close: [Function],
  state: [Function],
  unstate: [Function],
  redirect: [Function] }

I make something wrong ?

The devDependency hapi was updated from 17.6.0 to 17.6.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

hapi is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

github.com/hapijs/joi makes schemas much more readable, easier to test and reduce the likelihood of unintended bugs.

When this module was first written, it had one or two options, meaning it didn't really need a joi schema. This has since grown and it would now be worth adding a joi schema and validate this when registering an auth method.

Note: This doesn't add any performance hit per request, only on auth scheme registration, as the auth schema will only be validated when schema is registered.

This issue for new contributors, myself and @AdriVanHoudt are available to help work through this PR

Hi John, out of interest, why do you delete the access token field from request.query in lib/index.js:26?

delete request.query[settings.accessTokenName];

Helllo. I am using hapi and typescript . Version 6.0.1 not job. Error impossible to find register of undefinded

Can you please add tags to commits of published versions after 4.1.0 ?

Version 13.1.0 of joi was just published.

This version is covered by your current version range and after updating it in your project the build failed.

joi is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

In version 4.3.1 with default options, I noticed that when the Authorization header is just Bearer, the token parameter that is passed to the validate function is undefined. Looking through the code, it seems to me that this is the case for current master as well. Although this behavior is reasonable, I wonder if it would be more appropriate to reply with Boom.unauthorized? I don't see how not having a token should ever result in a successful authentication, so it would be convenient for the middleware to handle that case.

Is there a way to expose the token? In auth bearer simple I just added it to the credentials (https://github.com/Salesflare/hapi-auth-bearer-simple/blob/master/lib/index.js#L31) but there is probably a safer way :P

I save my login token with UserDefault. Here is the code :

            AF.request(encodeURL, method: .post, parameters: nil, headers: headers, interceptor: nil)
            .responseString { response  in
                
                switch response.result{
                case .success(_):
                    if let json = response.value{
                        UserDefaults.standard.set(json, forKey: "token")
                        print("token saved \(json)")
                        // print((json as! [String : AnyObject]))
                        let homePage = self.storyboard?.instantiateViewController(identifier: "dashboard") as! HalamanUtama
                        self.navigationController?.pushViewController(homePage, animated: true)
                             
                    }
                    break
                case .failure(let error) :
                    print([error as! Error])
                    break
                    
                }
        }

I didn't make an Interceptor class(retry and adapt) func due to the the token is not expired yet. Then, I called the token that I've already saved before in this class. Here is the code :

       AF.request(url, method: .get, parameters: parameters, encoding: URLEncoding.default).responseJSON { (response) in
        switch response.result{
                           case .success(_):
                               if let json = response.value{
                                let defaults = UserDefaults.standard
                                defaults.value(forKey: "token")
                                   print("token saved \(json)")
                                   
                               }
                               break
                           case .failure(let error) :
                               print([error as! Error])
                               break
                               
                           }
    }

I got an error message : "error : 500, invalid token, data null". what's wrong with my code?

Remove .vscode from versioning and add it go .gitignore
Add a changelog to the project :)

Currently it is not possible to chain strategies.
hapi docs: If the err does not include a message but does include a scheme name (e.g. Boom.unauthorized(null, 'Custom')), additional strategies will be attempted in order of preference. (under https://github.com/hapijs/hapi/blob/master/API.md#serverauthschemename-scheme)
And since on !isValid there is an unauthorized error with message, hapi will not try other strategies (

Am I correct or am I just doing something wrong?

(background: as you may now I wrote https://github.com/Salesflare/hapi-auth-bearer-simple but now we do have a need for query param functionallity and at that point the gap seems to close to have 2 versions of this scheme type ;) )

Version 16.5.0 of hapi just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As hapi is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

Version 4.1.0 of code just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As code is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

I have a need to support multiple Authorization header fields. e.g.

Authorization: FD AF6C74D1-BBB2-4171-8EE3-7BE9356EB018; Bearer 12345678

The current code only allows a single authorization field: Authorization: Bearer xxx

@greenkeeperio-bot spammed the project with automatic PC.

Clean up would helpful :)

Hi

Please add support for hapi 9.x

Thanks!
Rogelio

hapi-auth-bearer-token

Important Note: v6 Drops support for hapi < v17 and Node < 8, due to the nature of the hapi v17 rewrite: hapijs/hapi#3658.

breaking changes:

• hapi versions below v17 are no longer support from version 6 of this module.
• validateFunc is renamed to validate. The Func suffix was an old convention to signify a function to be passed in here. This much cleaner and less intimidating to new users.
• unauthorizedFunc is renamed to unauthorized. Same reasoning as validateFunc.
• validate function signature function (token, callback) becomes [async] function(request, token, h).
  • validate must now return an object containing the auth details, as opposed to passing this information via callback used in previous versions. There is an example of this in the project README
  • The request object has been added to the function signature as previously request could only be accessed via this to avoid breaking changes. This was inconsistent and has been fixed in this release.

Please note: as part of changes with in hapi v17, server.auth.default('simple'); must now be used when setting a default auth strategy. Default strategies can no longer be set when calling server.auth.strategy. Please be careful with this.

Lets assume in the validate function the validity is proven to be wrong. The plugin still expects a credentials object to be passed even if isValid:false.
Even though the function is called with the response toolkit, using something like return h.response().code(401) does not work as expected.

Please find the code below. The plugins we are using as modules have seneca routes. In validateFunc we are calling tokeninfo where we get user's info. We need help to understand how to pass the user's info over to the plugins/modules.

server.register(plugins, (err) => {

         server.auth.strategy('simple', 'bearer-access-token', true, {
             allowQueryToken: true, 
             allowMultipleHeaders: false, 
             accessTokenName: 'token',    
             validateFunc: function (token, callback) {    
               Wreck.get(TOKEN_URL+'/tokeninfo?access_token=' + token,
               { json: 'force' }, function (err, response, payload) {    
                 if(response.statusCode == 200) {
/*********************/
//here i got the user id/info 
//but how to pass it into plugins as it is in callback  function?
                   return callback(null, true, { token: token });
                 } else {
                   return callback(null, false, { token: token });
                 }
               });
           }
             });
       });

Thank you in advance if you can please help.

The devDependency code was updated from 5.2.0 to 5.2.1.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

code is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

Sorry to bother am new Hapijs and am trying your plugin using mongo as back end when i look for the user using User.findById in the validation method i get this exception:tried everything but here i am.

Debug: internal, implementation, error 
TypeError: Property '_next' of object function (err, response, data) {

    reply._data = data;                 // Held for later
    return reply.response(err !== null && err !== undefined ? err : response);
} is not a function
at Function.internals.continue (E:\newCode\webApps\node_modules\hapi\lib\reply.js:102:10)
at E:\newCode\webApps\node_modules\hapi-auth-bearer-token\lib\index.js:65:42
at Promise.<anonymous> (E:\newCode\webApps\app\utils\autho.js:18:32)
at Promise.<anonymous> (E:\newCode\webApps\node_modules\mongoose\node_modules\mpromise\lib\promise.js:177:8)
at Promise.emit (events.js:95:17)
at Promise.emit (E:\newCode\webApps\node_modules\mongoose\node_modules\mpromise\lib\promise.js:84:38)
at Promise.fulfill (E:\newCode\webApps\node_modules\mongoose\node_modules\mpromise\lib\promise.js:97:20)
at E:\newCode\webApps\node_modules\mongoose\lib\query.js:1394:13
at model.Document.init (E:\newCode\webApps\node_modules\mongoose\lib\document.js:250:11)
at completeOne (E:\newCode\webApps\node_modules\mongoose\lib\query.js:1392:10)

This the method used in the validation

    function (token, callback) {
    if (token) {
        try {
            var decodedToken = jwt.decode(token, config.secretToken);
            if (decodedToken.exp && decodedToken.exp <= Date.now()) {
                return callback(null, false);
            }
            User.findById(decodedToken.iss, '_id uName',
                function (err, users) {
                    if (!err) {
                        return callback(null, true, users);
                    }
                });

        } catch (err) {
            return callback(null, false);
        }
    }
    return callback(null, false);
    }

Thanks

Hi,

Thanks for your project I appreciate it 👍🏻 I have a problem getting it to work though, I'm trying to add authentication to an existing API Hapi project. This is my implementation of server.register:

server.register(
  [
    inert,
    vision,
    {
      register: hapiSwagger,
      options: swaggerOptions
    },
    authBearer
  ],
  function (error) {
    server.auth.strategy('simple', 'bearer-access-token', {
      allowQueryToken: true,
      validate: async (request, token, h) => {

        // TODO: Validate token
        const isValid = token === '1234';
        const credentials = { token };
        const artifacts = { test: 'info' };
        return { isValid, credentials, artifacts };
      }
    });
    server.auth.default('simple');
  }
);

And this is the error I'm getting:

if (plugin.register.register) {                             // Required plugin
                            ^

TypeError: Cannot read property 'register' of undefined
    at module.exports.internals.Server.internals.Plugin.register

I hope you can help me out.
Cheers

Hello,

we are using AuthBearer plugin for authentication. can we skip some routes from the authetication?
something like

auth{
strategy: ""
} 

or
auth : false

Thanks in advance.