Is there a library compatible with Hapi for fine-grained ACL / User permissions?

Question

Looking to use HapiJS as our API server. We need fine-grained user permissions, e.g. "User A can edit field B" "User C can view field D" for a given model / resource.

Before we start building something I've been looking to see if something like this has already been done that is compatible with Hapi.

Answer 1

I have just read an article where the ACL permissions are validated using the build-in scopes.

Here is the link to the mentioned article : https://blog.andyet.com/2015/06/16/harnessing-hapi-scopes/

And to resume quickly (using the example from the above link), you get a user object that looks like so :

{
    "username": "han",
    "scope": ["door-trash-compactor"]
}

The scope can be generated by whatever is backing your ACL for this user. In this case you have the resource door with id trash-compactor that can be checked like so :

server.route({
    method: 'GET',
    route: '/doors/{door_id}',
    config: {
        handler: function (request, reply) {
            reply(request.params.door_id ' door is closed');
        },
        auth: {
            scope: ['door-{params.door_id}']
        }
    }
});

The scope door-{params.door_id} will be translated to door-trash-compactor which will then be validated. Han's request to the trash compactor door will be valid and he will get the door is closed message.

The blog post is well written (much better then this summary) and describes this in better detail - would recommend the read.

Answer 2

I've recently been working on an ACL project for hapijs. It should get you a good start. https://www.npmjs.org/package/hapi-authorization