HapiJS中基于角色的身份验证

Question

I am working on a rest API first project written with HapiJS. 我正在开发一个用HapiJS编写的rest API第一个项目。 After the login process the user gets a token to pass in the header of every request. 在登录过程之后，用户获得一个令牌以传递每个请求的标头。 Users have different roles (admin, standard, guest, partners) and some Api endpoint are reachable only by users with a certain role. 用户具有不同的角色（管理员，标准，访客，合作伙伴），并且只有具有特定角色的用户才能访问某些Api端点。 Someone could help me in defining this check in a nice way, so without writing the check everytime inside the route? 有人可以帮助我以一种很好的方式定义这个检查，所以不必每次都在路线内写支票？

Answer 1

Scopes 领域

You can use scopes in hapi. 您可以在hapi中使用scopes 。 When you authenticate the request by checking the header, you can set the scope property of the user's credentials: 通过检查标头验证请求时，可以设置用户凭据的scope属性：

var validateFunc = function (username, password, callback) {

    ... // Your logic here

    return callback(null, true, {scope: 'admin'});
};

When defining a route you can set the scopes which are permitted to that endpoint in the config.auth.scope property: 定义路由时，您可以在config.auth.scope属性中设置允许该端点的scopes ：

server.route({
    ...
    config: {
        auth: {
            strategy: 'simple', 
            scope: ['user', 'admin']
        },
    }
    ...
});

Now, only users who are authenticated with the scope of user or admin , will be able to access that route. 现在，只有通过user或admin范围进行身份验证的user才能访问该路由。

Process 处理

Decide on some scopes (admin, superuser, guest etc) 确定一些范围（管理员，超级用户，访客等）
Configure your authentication routine to correctly set the scope on the user's credentials 配置身份验证例程以正确设置用户凭据的scope
Configure your routes by setting the config.auth.scope to whomever is allowed to access it 通过将config.auth.scope设置为允许访问它的任何人来配置您的路由

Runnable Example 可运行的例子

var Hapi = require('hapi');

var server = new Hapi.Server();
server.connection({ port: 4000 });

server.register(require('hapi-auth-basic'), function (err) {

    if(err) {
        throw err;
    }

    server.auth.strategy('simple', 'basic', {
        validateFunc: function (username, password, callback) {

            if (username === 'admin') {
                return callback(null, true, {scope: 'admin'}); // They're an `admin`
            }
            if (username === 'user') {
                return callback(null, true, {scope: 'user'}); // They're a `user`
            }
            return callback(null, false);
        }
    });

    server.route([{
            config: {
                auth: {
                    strategy: 'simple', 
                    scope: ['admin']                    // Only admin
                },
            },
            method: 'GET',
            path: '/admin',
            handler: function(request, reply) {

                reply('Admin page');
            }
        }, {
            config: {
                auth: {
                    strategy: 'simple', 
                    scope: ['user', 'admin']            // user or admin
                },
            },
            method: 'GET',
            path: '/user',
            handler: function(request, reply) {

                reply('User page');
            }
        }
    ]);

    server.start(function () {
        console.log('Started server');
    });
});

HapiJS中基于角色的身份验证

问题描述

1 个解决方案

解决方案1
24 已采纳 2015-03-14 20:35:38

HapiJS中基于角色的身份验证

问题描述

1 个解决方案

解决方案1 24 已采纳 2015-03-14 20:35:38

解决方案1
24 已采纳 2015-03-14 20:35:38