hapi-authorization icon indicating copy to clipboard operation
hapi-authorization copied to clipboard

Published 20 hours ago verified publisher icon toymachiner62

Support roles property not only role from validateFunc

Open abeninskibede opened this issue 8 years ago • 7 comments

Hey would be great if you start supporting roles too not only role.

This:

var validate = function(username, password, callback) {
    // Perform authentication and callback with object that contains a role or an array of roles
    callback(null, true, {username: username, role: 'EMPLOYEE'});
}

To become:

var validate = function(username, password, callback) {
    // Perform authentication and callback with object that contains a role or an array of roles
    callback(null, true, {username: username, roles: ['EMPLOYEE']});
}

I know that you can put multiple roles in role but plural would be great.

abeninskibede avatar Mar 10 '16 20:03 abeninskibede

Are you sure this doesn't already work? I haven't used this in a while, but the README file shows that it works with plural:

server.route({ method: 'GET', path: '/', config: {
  plugins: {'hapiAuthorization': {roles: ['USER', 'ADMIN']}},
  handler: function (request, reply) { reply("Great!");}
}});

toymachiner62 avatar Mar 23 '16 21:03 toymachiner62

Looks like I validate either:

https://github.com/toymachiner62/hapi-authorization/blob/master/lib/schema.js#L41

toymachiner62 avatar Mar 23 '16 21:03 toymachiner62

Hmm I tested it and it didn't seem like it's working.

abeninskibede avatar Mar 24 '16 07:03 abeninskibede

Can you put together a simple example that shows this not working?

toymachiner62 avatar Mar 25 '16 14:03 toymachiner62

Not the route but the validate func that calls the callback parameter:

  validateUser: (decoded, request, callback) => {
    UserRepo.findById(decoded.id)
      .then(found => {
        if (found) {
          request.user = found; // eslint-disable-line no-param-reassign
          return callback(null, true, { role: found.roles });
        }
        return callback(null, false);
      })
      .catch(err => {
        const promise = callback(err, false);
        return promise;
      });
  }

Validate func is then passed to the auth strategy.

      server.auth.strategy('jwt', 'jwt',
        {
          key: secret, // Never Share your secret key
          validateFunc: auth.validateUser,
          ignoreExpiration: false, // validate function defined above
          verifyOptions: {
            algorithms: ['HS256']
          } // pick a strong algorithm
        })

abeninskibede avatar Mar 25 '16 19:03 abeninskibede

Ok i'm following now. Can you create a pull request to allow roles and role?

toymachiner62 avatar Mar 28 '16 15:03 toymachiner62

@abeninskibede If you need a workaround, you can use:

callback(null, true, {username: username, role: ['EMPLOYEE', 'MANAGER']});

It should be named "roles" to keep consistency, but "role" currently accepts in the validation callback both a string or an array.

exist3nz avatar Nov 22 '16 13:11 exist3nz