How to set authentication for routes

[saeidalidadi]

Is it possible to set authentication for a route with token in query params?

[Marsup]

It's in the documentation, same as a hapi route auth.

[saeidalidadi]

I mean setting authentication for my routes in documentation for example /path/to/name to be secure

[Marsup]

I'm not sure I understand. Did you setup hapi authentication and it's not visible in docs or are you asking for how to do authentication in hapi ?

[saeidalidadi]

I setup auth: 'required' in lout option when I register it. And also I add a route with path /docs/admin that is a login page and after login to see the docs user will redirect to /docs?token='token' At the end of this scenario I faced with validation error that says Token is not valid for /docs

On Wed, Jun 15, 2016 at 12:06 PM, Nicolas Morel notifications@github.com wrote:

I'm not sure I understand. Did you setup hapi authentication and it's not visible in docs or are you asking for how to do authentication in hapi ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/hapijs/lout/issues/154#issuecomment-226111095, or mute the thread https://github.com/notifications/unsubscribe/ACS5rAcsWW2o4ef5D5JOruXr4HTpU-vYks5qL6uIgaJpZM4I2D6M .

[Marsup]

I'll need code to see the details of what you're doing.

[saeidalidadi]

My validation function:

validate = (decoded, request, cb) ->
  console.log request.auth.token
  isDocs = if request.path is '/docs' then on else off
  isAdmin = if decoded.type? and decoded.type is 'docs' then on else off
  if isAdmin and isDocs
    return cb null, true
  login = request.server.app.logins[decoded.id]
  if login
    return cb(null, true)
  else
    cb(null, false)

Authenticating for POST /docs

path: '/docs'
method: 'POST'
config:
  auth: mode: 'try'
handler: (request, reply) ->
  if request.payload.username is config.docs.username and 
     request.payload.password is config.docs.password
    token = jwtoken.sign { type: 'docs' }, config.tokenKey
    reply.redirect "/docs?token=#{token}"
  else
    reply.view 'docs'

And this is the response error:

{"statusCode":400,"error":"Bad Request","message":"\"token\" is not allowed","validation":{"source":"query","keys":["token"]}}

[Marsup]

Can you try with 9.0.1 ?

[Marsup]

It should get you to the index at least, navigation will probably be broken. I'd accept a PR to make it work (not just for "token").

[saeidalidadi]

I will add token to validate.query in lout module to satisfy myself for now :)

[saeidalidadi]

Ok, I reinstalled lout an now it works fine but another issue is authorization for static files of template In google dev console this is the authorization error:

http://localhost:8012/docs/css/style.css Failed to load resource: the server responded with a status of 401 (Unauthorized)

[saeidalidadi]

It will be so useful to skip authorization for all routes as an option.

[Marsup]

Just pass false.

[saeidalidadi]

If pass false for auth option my /docs will not authenticate as I want. I just need authorization for /docs not all routes. for instance this will be authorized as not authenticated:

localhost:8012/docs?server='server'&path='path'

[Marsup]

Aside question : are you already using that token as part of the authentication on your site or is it dedicated to the lout part ?

[saeidalidadi]

It is dedicated to lout part. The alternative solution is using cookie-base authentication instead of JWT since cookies are sent in headers by the browsers

[Marsup]

That's what I had in mind. Unless you want to do a PR to support query params transmission, I'm not going to do it myself.