hapi-access-token is a third-party login plugin for hapi. hapi-access-token comes with default support for Facebook. This was built with mobile apps in mind: mobile apps generally authenticate themselves with the installed app, and they simply receive an access token for future requests on the user's behalf.
Add a login endpoint and set it to use the hapi-access-token authentication strategy.
hapi-access-token does not maintain a session. Once the handler is called, the application must set its own session management.
var Hapi = require('hapi');
var Boom = require('boom');
var server = new Hapi.Server(8000);
// Register hapi-access-token with the server
server.register(require('hapi-access-token'), function (err) {
// Declare an authentication strategy using the hapi-access-token scheme
server.auth.strategy('facebook-access-token', 'access-token', {
accessTokenKeyName: 'access_token', // The query parameter key you'll be specifying the access token in,
profileUrl: 'https://graph.facebook.com/me?access_token=', // The url to get the user's profile,
validateFunc: function(payload, accessToken, reply) { // The function which will extract the user profile and set it as the request's credentials
try {
var profile = JSON.parse(payload);
var credentials = {};
credentials.token = accessToken;
credentials.profile = {
id: profile.id,
username: profile.username,
displayName: profile.name,
name: {
first: profile.first_name,
last: profile.last_name,
middle: profile.middle_name
},
email: profile.email,
raw: profile
};
return reply.continue(null, {credentials: credentials});
} catch(err) {
return reply(Boom.unauthorized(err.toString()));
}
}
});
server.route({
method: ['GET'],
path: '/login', // The callback endpoint registered with the provider
config: {
auth: 'facebook-access-token',
handler: function (request, reply) {
// Perform any account lookup or registration, setup local session,
// and redirect to the application. The third-party credentials are
// stored in request.auth.credentials. Any query parameters from
// the initial request are passed back via request.auth.credentials.query.
return reply.redirect('/home');
}
}
});
server.start();
});
The server.auth.strategy()
method requires the following strategy options:
accessTokenKeyName
- The query parameter key you'll be specifying the access token in.profileUrl
- The URL where the user account can be foundvalidateFunc
- The function which will parse out the user's profile with the parameters:payload
- The response payload from theprofileUrl
accessToken
- The original access token used for this requestreply
- A Hapi authorization callback with any errors as the first parameter and therequest.auth
object as the second parameter