5.0.0 • Published 2 years ago

hapi-bpc v5.0.0

Weekly downloads
13
License
ISC
Repository
github
Last release
2 years ago

hapi-bpc

This package is published on NPM: https://www.npmjs.com/package/hapi-bpc

Hapi BPC plugin that enables service, routes and auth scheme and strategy.

Benefits of the plugin:

  • Fetching and auto reissue of app ticket.
  • Auth scheme and strategy bpc to be used in route options.
  • Routes for clients to exchanges tickets with BPC.
  • Management of the user ticket using a cookie. Standard cookie settings can be overriden.
  • A bpc client is available on the request toolkit as h.bpc and the server as server.bpc.
  • The Hawk library is available on the server as server.hawk.

The scheme (and strategy) enables the decoration of routes auth-options. See example usage in the route options below.

These routes will accept authorization in form of either A) a cookie containing BPC ticket or B) an Hawk Authorization header generated using a BPC ticket. Each request will be validated with a request to BPC.

The toolkit enables interaction with BPC with a minmal effort. See example usage in the handler below.

The routes enables endpoints for clients to interact with BPC with a minimal effort. See overview below.

The plugin requires ENV vars: BPC_URL, BPC_APP_ID and BPC_APP_KEY.

Install plugin using:

npm install --save hapi-bpc

Register plugin with Hapi.js and connect to BPC:

await server.register(require('hapi-bpc'));
// Or: await server.register({ plugin: require('hapi-bpc'), options: { cors: false }});
await server.bpc.connect();

To override the standard cookie/state, use the options object, when registering the plugin. See https://hapi.dev/api/?v=18.3.2#server.state() for details on possile settings and values.

Example:

await server.register({ plugin: require('hapi-bpc'), options: { state: { ttl: null, encoding: 'none' } }});

If the ticket cookie must be served over a non-secure/non-HTTPS connection (eg. localhost development), set ENV var SECURE_COOKIE=false.

Auth scheme and toolkit

After registering the plugin, routes can be decorated with the auth scheme bpc. The auth scheme support both A) having the BPC ticket in a cookie, and B) a Hawk Authorization header created using a BPC ticket.

Autorized requests will have the credentials stored in the req.auth.credentials object.

The BPC client will also be available on the request toolkit as h.bpc. See https://github.com/BerlingskeMedia/bpc_client

The Hawk library is also available on the server as server.hawk.

Example usage:

    server.route({
        method: 'GET',
        path: '/',
        options: {
            auth: {
                strategy: 'bpc',
                access: {
                    scope: 'a_scope',
                    entity: 'any' // <- Can be any|app|user.
                }
            },
            state: {
                parse: true
            }
        },
        handler: (request, h) => {

            // Getting the bpc client from toolkit to interact with BPC
            const bpc = h.bpc;

            // The user details are available because of the auth strategy.
            const credentials = request.auth.credentials;
            // Note: request.auth.credentials can contain either a user ticket or an object {app, scope, exp} from the app ticket

            const permissions = await bpc.request({
                path: `/permissions/${credentials.user}/{some_scope}`,
                method: 'GET'
            });

            // In case the client is using the /authorize endpoints (also from this plugin) to authorize users
            // the user ticket is available in the request state.
            const userTicket = request.state[bpc.state_name];

            // User tickets can be used for BPC requests as well, like this:
            const permissions = await bpc.request({
                path: `/permissions/{some_scope}`,
                method: 'GET'
            }, userTicket);
        }
    });

Another example usage, where there is roles added to the app scopes. (In BPC, roles (role:) is a reserved form of scope.) Roles are created and added via the BPC Console. In the example below, a user and admin are allow to get the data. But only an admin are allowed post data.

See section Scope

register: function (server, options) {

    const bpc_app_id = server.bpc.app.id;

    server.route({
        method: 'GET',
        path: '/data',
        options: {
            auth: {
                strategy: 'bpc',
                access: {
                    scope: [
                        `role:${ bpc_app_id }:user`,
                        `role:${ bpc_app_id }:admin`
                    ],
                    entity: 'user'
                }
            },
        },
        handler: (request, h) => {
            // Your magic here
        }
    });


    server.route({
        method: 'POST',
        path: '/data',
        options: {
            auth: {
                strategy: 'bpc',
                access: {
                    scope: [
                        `role:${ bpc_app_id }:admin`
                    ],
                    entity: 'user'
                }
            },
        },
        handler: (request, h) => {
            // Your magic here
        }
    });
}

Routes

These routes will be registeret with the Hapi server:

GET|POST /authorize

This route must be called to authorize the user in order to authorize request to routes decorated with the auth scheme bpc.

Querystring/payload can be empty, a rsvp or a Gigya/Google user session.

If querystring/payload is rsvp this endpoint will trigger a POST /ticket/user request to BPC.

If querystring/payload is a Gigya or Google user session, this endpoint will trigger both a POST /rsvp and a POST /ticket/user request to BPC.

If payload is a ticket, the ticket will be used in a POST /ticket/reissue request to BPC. This request will check for valid grant.

If querystring/payload is empty, a ticket in cookie will be used in a POST /ticket/reissue request to BPC. This request will check for valid grant.

Response will be a user ticket.

Response will also include a cookie, that is protected by the flags SameSite=Strict, Secure and HttpOnly.

DELETE /authorize

This endpoint removes the ticket from the cookies. No other requests are made.

Developing

Clone this repo and register it with NPM locally using the command: npm link

Change directory to the Hapi.js project. Link the local version this repo using the command npm link hapi-bpc.

Publish to NPM

Before you can publish, you need to be maintainer and run npm login.

Do this:

  1. Commit/merge your change to master branch.
  2. Run npm version major|minor|patch to increase the semver version in package.json file.
  3. Run npm publish.
  4. Run git push.
5.0.0

2 years ago

4.2.2

2 years ago

4.1.2

3 years ago

4.1.1

3 years ago

4.1.0

3 years ago

4.0.2

3 years ago

3.5.5

3 years ago

3.6.0-dev

3 years ago

4.0.2-dev

3 years ago

3.6.0

3 years ago

4.0.1-dev

3 years ago

4.0.0-dev

3 years ago

3.5.2

5 years ago

3.5.1

5 years ago

3.5.0

5 years ago

3.4.0

5 years ago

3.3.4

5 years ago

3.3.3

5 years ago

3.3.2

5 years ago

3.3.1

5 years ago

3.3.0

5 years ago

3.2.5

5 years ago

3.2.4

5 years ago

3.2.3

5 years ago

3.2.2

5 years ago

3.2.1

5 years ago

3.2.0

5 years ago

3.1.0

5 years ago

3.0.1

6 years ago

3.0.0

6 years ago

1.1.1

6 years ago

1.1.0

6 years ago

1.0.0

6 years ago

0.1.0

6 years ago

0.0.1

6 years ago