In hapi.js what is the difference between an Auth Scheme and Strategy?

Question

The hapi.js documentation is not especially (complete) beginner-friendly¹ ...

What is the distinction between a Server Auth Scheme and Strategy?

Do we need to have both?

¹If someone can explain the difference we will PR into the docs.

Also posted on: https://github.com/hapijs/discuss/issues/163

Answer 1

Yes, you need both. They're different things entirely. They're explained here: http://hapijs.com/tutorials/auth. But let me rehash that differently:

SCHEMES

A scheme is a general type of authentication. Basic authentication and Digest authentication are different types of authentication, and in hapi each would be a different scheme. You can think of a scheme as a template for authentication. A scheme isn’t used directly to authenticate users, instead you create a specific strategy from the scheme.

STRATEGIES

A strategy is a configured instance of a scheme with an assigned name. Strategies exist so you can use the same scheme several times, in a slightly different way. For instance, might decide to you want use basic authentication in your app. For some routes you might wish to validate a user’s passwords against a value in a database and for some other routes, you might wish to check the password against a value stored in a text file. In this case you can create 2 different strategies from the scheme. The scheme to strategy relationship is described visually below:

Most applications will create new strategies from pre-existing schemes that have been released as plugins (i.e. hapi-auth-basic).