How to get auth0 working with Hapi + Glue

Hi,

I have started creating free account to try auth0.

The getting start sample showing the basic Hapi Integration.

Do you have a sample of How to Integrate into (Hapi + Glue) ?

I have an existing code in manifest.json

{
"registrations" : 
       {
         "plugin" : {
            "register" : "hapi-auth-basic"
         }
      },
      {
         "plugin" : {
            "register" : "hapi-auth-cookie"
         }
      },
      {
         "plugin" : {
            "register" : "../config/routes/dir.js"
         },
         "options" : {
            "select" :  "api" ]
         }
      }
]
}

hapi component (dir.js)

var Inert = require('inert');
// var Path = require('path');

exports.register = function(server, options, next) {
    server.register(Inert, () => {});
    server.route({
        method: 'GET',
        path: '/{File*}',
        config: {
            description: 'Return files in the folder',
            tags: 'api2'], // ADD THIS TAG 
            handler: {
                directory: {
                    path: 'assets', // Path.join(__dirname, 'tools'),
                    listing: true
                }
            },
            auth: false
        }
    });

    next();
};

exports.register.attributes = {
    name: 'tools'
};

This is in my package.json

  "dependencies": {
    "babel-core": "^6.24.1",
    "babel-preset-es2015": "^6.24.1",
    "bell": "^8.7.0",
    "blipp": "^2.3.0",
    "glue": "^4.1.0",
    "hapi": "^16.1.1",
    "hapi-api-version": "^1.3.0",
    "hapi-auth-basic": "^4.2.0",
    "hapi-auth-cookie": "^7.0.0",
    "hapi-auth-jwt": "^4.0.0",
    "hapi-auth-jwt2": "^7.2.4",
    "hapi-swagger": "^7.7.0",
    "hapi-swaggered": "^2.9.0",
    "hapi-swaggered-ui": "^2.6.0",
    "inert": "^4.2.0",
    "jwks-rsa": "^1.1.1",
    "package": "^1.0.1",
    "rejoice": "^4.0.0",
    "rekuire": "^0.1.9",
    "swaggerize-hapi": "^2.0.1",
    "uuid": "^3.0.1",
    "vision": "^4.1.1"
  }

Edit:

Hi,
I have been working on other project and now back to this task again.
I can’t navigate to the private link, Unauthorized.
Can you tell me what I have done wrong ?
Thanks.

I have download the sample project running with node + hapi.
I have started at http://localhost:3001/api/private.
I am copying the sample code c# using RestClient Request Bearer Token.
It was successful.
but when I am calling the local host with the sample code c#
calling the http://localhost:3001/api/private

{"statusCode":401,"error":"Unauthorized","message":"Invalid token","attributes":{"error":"Invalid token"}}

• I don’t think I have done it right.
• I have went to https://manage.auth0.com/#/apis
• Create API
• Name: MyApi
• Identifier: http://localhost:3001/api/private
• Create
• I am clicking on Scopes Tab then add name read:messages
• Navigate to “Non Interactive Client”
• Make sure it is Authorized
• and the Scopes, read:messages is checked.
• Then click on test.
• Go to Section: Sending the token to the API
• Select c#
• Copy the code
• then add to the code Console.WriteLine(response);

if I try from c# code with
url: http://localhost:3001/api/public

{"message":"Hello from a public endpoint! You don't need to be authenticated to see this."}

url: http://localhost:3001/api/private

{"statusCode":401,"error":"Unauthorized","message":"Invalid token","attributes":{"error":"Invalid token"}}

To my knowledge, at this time, there’s no sample available in specific for the use of Hapi+Glue.

However, the available sample (https://auth0.com/docs/quickstart/backend/hapi/01-authorization) makes use of hapi-auth-jwt2 so you may want to check the following issue reported within that library as it’s related to what you’re looking for and may contain a solution/workaround:

hapi-auth-jwt2 - Integration with glue

Thank you @jmangelo for the information. I’ll take a look at > hapi-aut-jwt2

I want each api call to be authenticated (Auth0) and Authorise Expose API(s) Based on this Key from Auth0.

This is what I am thinking of doing, but not sure if this the correct way to do. One key allows access to all my api, per user. One key allows access to some of my api, per user. Am I wrong with the idea of using key to control route?

This key is stored in a SQL table to indicate what API to expose? I would need to create user table and store keys against the user. But this does not prevent user with different key to access the resource if they have authenticated and know the URI.

I want each api call to be authenticated (Auth0) and Authorise Expose API(s) Based on this Key from Auth0.

This is what I am thinking of doing, but not sure if this the correct way to do. One key allows access to all my api, per user. One key allows access to some of my api, per user. Am I wrong with the idea of using key to control route?

This key is stored in a SQL table to indicate what API to expose? I would need to create user table and store keys against the user. But this does not prevent user with different key to access the resource if they have authenticated and know the URI.

With Auth0 API authorization there is no notion keys; there are however the notion of tokens. The tokens would be issued to end-users and could contain information (scopes) that give permission to all your API or to just a subset of your API depending on the constrains you would require.

I recommend you to read the API authorization related documentation to better understand what’s available.

I have worked out the problems:

1. The Server Side (Hapi) Sample Project .env file does not populate:
   AUTH0_AUDIENCE={AUDIENCE}
   Once I have replaced with the correct Audience, the I get a different error.
2. The sample code was passing authorization into header bearer, but the Generated access_token does not include the scope (this seem to be fixed now).