Authentication and Authorization - kkemple/awesome-enterprise-web-service GitHub Wiki

There are two layers of security for the web service, the first being authentication. Every route except for the /api/healthcheck endpoint are authenticated. They support both basic auth, and JSON web tokens (JWTs).

The second layer of defense is scopes. Hapi has built in support for specifying scopes at the route level, but they leave getting scopes onto the req.auth.credentials object up to the application developer. This has already been handled for you via the Auth plugin.

You can get as granular as you want with scopes. Scopes associate to a User's role. This makes it easy to build groups of scopes that you can assign to users with little management.

You can also see how scopes are add to req.auth.credentials at src/plugins/api/auth/index.js#L30 or src/plugins/api/auth/index.js#L46.

Scopes

{
  "user": [
    "users:read:current",
    "users:write:current",
  ],

  "admin": [
    "users:read:current",
    "users:write:current",
    "users:read",
    "users:write",
    "users:create",
    "metrics:read",
  ],

  "super": [
    "users:read:current",
    "users:write:current",
    "users:read",
    "users:write",
    "users:create",
    "users:delete",
    "metrics:read",
  ],
}