Authentication is the process of determining whether a user is who they claim to be. For example, for whatever username they supply, they have another determining factor that proves that they are who they say there are. Most often, this is done by supplying a secret that only the user would know, such as a password.

In most applications, this username and password combination will return or create a token that will be stored somewhere with the user, so all future interactions within the application won't need to be re-authenticated with the same username and password. This token is usually stored in a cookie.

In both cases, we would usually take the password, token, or any other form of access key from the request to our application by parsing headers or cookies, depending on the type of authentication, and compare it with some data which is stored in our database. For those of you familiar with authentication, you may recognize the authentication protocols that have been described...

While authentication is a process of verifying the identity of a user, authorization is the process of verifying whether they have the permission to access a resource.

Fortunately, hapi has core support for authorization through scopes that allow us to effectively assign a role to a client when we authenticate them, which may be something such as user or admin.

We can then easily specify what roles are authorized to access a route in our route configuration object through the scope property, by passing a string or array of strings. Let's take a look at what a sample application using scopes would look like:

const Hapi = require('hapi');
const Basic = require('hapi-auth-basic');
const server = new Hapi.Server();
server.connection({ port: 1337 });
server.register([
  Basic
], (err) => {
  // handle err logic
  const basicConfig = {
    validateFunc: function (request, username, password, callback) {
      if (username === 'admin1' && password === 'password') {
      ...

In this chapter, we've looked at some basic methods of securing an application with hapi using multiple workflows in an easy-to-manage manner, without interfering with our internal application logic.

We looked first at authentication with hapi, and how it employs the concepts of schemes and strategies to simplify our authentication workflows. We looked at the basic authentication scheme, mainly to demonstrate how authentication would be configured in hapi. We then looked at the more commonly employed cookie authentication scheme, and how it can be used to implement a session for our web applications.

Finally, for authentication, we looked at using third-party services as authentication sources, and combining them with session authentication to maintain state between requests.

Following authentication, we explored hapi's support for authorization, and using scopes to implement simple route-level permissions for our apps.

Hopefully, this chapter has given you a good overview of different...