Using Opentoken in Hapi.js
Ancient Knowledge
This article is getting old. It was written in the ancient times and the world of software development has changed a lot since then. I'm keeping it here for historical purposes, but I recommend you check out the newer articles on my site.
A new plugin I wrote that will allow Hapi to authenticate against PINGFederate Opentoken endpoints.
Usage
const opentoken = {
register: require('hapi-auth-opentoken'),
options: {
password: 'testPassword',
cipherSuite: 0,
tokenName: 'opentoken'
}
};
server.register([opentoken], (err) => {
server.auth.strategy('default', 'opentoken', { validateFunc: validate });
server.route({ method: 'GET', path: '/', config: { auth: 'default' } });
});
function validate(request, token, callback) {
// token contains the decrypted saml response
callback(err, { id: '12345', name: 'Jos Sykes' });
}
Options
Opentoken takes the following options
- password - the token decryption shared key (default: null)
- cipherSuite - the opentoken cipher algorithm used by the server. One of the following [0,1,2,3] (default: 0)
- tokenName - (required) the name of the parameter in the POST request body to parse the token from
- tokenTolerance - The amount of time (in seconds) to allow for clock skew between servers in seconds (default: 120)
- tokenLifetime - The duration (in seconds) for which the token is valid. (default: 300)
- tokenRenewal - The amount of time (in seconds) the token will renew itself for. (default: 12hrs)
Validation
The validation function has a signature of validate(request, token, callback) where
- request - the hapi.js request object
- token - the decrypted opentoken saml information
- callback - a callback function taking the following parameters
- err - An optional error message which gets logged to stdout, null if no error
- user - the user information to attach to request.auth.credentials in downstream methods