Using apiKey auth, how do you hide routes that need the key?

Question

Using apiKey auth, how do you hide routes that need the key?

Opened this issue 9 years ago · 2 comments

I have the following in an app

server.register(require('hapi-auth-bearer-token'), (err) => {
        server.auth.strategy('simple', 'bearer-access-token', {
            allowQueryToken: true,              // optional, true by default
            allowMultipleHeaders: false,        // optional, false by default
            accessTokenName: 'apiKey',    // optional, 'access_token' by default
            validateFunc: ( apiKey, callback ) => {
                // For convenience, the request object can be accessed
                // from `this` within validateFunc.
                var request = this;

                // Use a real strategy here,
                // comparing with a token from your database for example
                if(apiKey === "1234") callback(null, true, { user: 'delaney', roles:['admin']});
                else callback(Boom.badRequest(`you aren't allowed silly`));
            }
        });
    });

And it will get called properly, but if the wrong apiKey is used in the ui, you can still see routes that use the auth. Any ideas?

Answer 1 · 2015-07-07T07:52:34.000Z

Currently theres no filtering based on authorization. Feel free to propose something..

Answer 2 · 2015-07-28T22:53:11.000Z

Would something like checking the route's config.auth key be enough? If it exists put a 'authorization required' on heading div?