Using apiKey auth, how do you hide routes that need the key?
Opened this issue · 2 comments
delaneyj commented
I have the following in an app
server.register(require('hapi-auth-bearer-token'), (err) => {
server.auth.strategy('simple', 'bearer-access-token', {
allowQueryToken: true, // optional, true by default
allowMultipleHeaders: false, // optional, false by default
accessTokenName: 'apiKey', // optional, 'access_token' by default
validateFunc: ( apiKey, callback ) => {
// For convenience, the request object can be accessed
// from `this` within validateFunc.
var request = this;
// Use a real strategy here,
// comparing with a token from your database for example
if(apiKey === "1234") callback(null, true, { user: 'delaney', roles:['admin']});
else callback(Boom.badRequest(`you aren't allowed silly`));
}
});
});
And it will get called properly, but if the wrong apiKey is used in the ui, you can still see routes that use the auth. Any ideas?
z0mt3c commented
Currently theres no filtering based on authorization. Feel free to propose something..
delaneyj commented
Would something like checking the route's config.auth key be enough? If it exists put a 'authorization required' on heading div?