Last active
March 26, 2020 11:06
-
-
Save andymarch/ae80df9fce78c070417677156a2090ab to your computer and use it in GitHub Desktop.
Okta Hapi Bell implementation with Okta.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Load modules | |
require('dotenv').config() | |
const bell = require('@hapi/bell') | |
const hapi = require('@hapi/hapi') | |
const authCookie = require('@hapi/cookie') | |
const config = { | |
cookiePwd: 'cookiecookiecookiecookiecookiecookiecookiecookiecookie', | |
okta: { | |
domain: process.env.DOMAIN, | |
clientId: process.env.CLIENT_ID, | |
clientSecret: process.env.CLIENT_SECRET | |
}, | |
url: 'http://localhost:3006' | |
} | |
// Declare internals | |
console.log(`Domain is ${config.okta.domain}`) | |
console.log(`Client ID is ${config.okta.clientId}`) | |
//console.log(`Client Secret is ${config.okta.clientSecret}`) | |
const internals = {} | |
const isSecure = process.env.NODE_ENV === 'production' | |
internals.start = async function () { | |
const server = hapi.server({ port: 3006 }) | |
// Register bell with the server | |
await server.register([authCookie, bell]) | |
// configure cookie authorization strategy | |
server.auth.strategy('session', 'cookie', { | |
cookie: { | |
name: 'sid-demo', | |
password: config.cookiePwd, | |
isSecure: isSecure | |
// isSameSite: 'Lax' | |
}, | |
redirectTo: '/login', // If there is no session, redirect here | |
validateFunc: async (request, session) => { | |
console.log('session valid?', request.cookieAuth) | |
return { valid: request.cookieAuth, credentials: request.cookieAuth } | |
} | |
}) | |
// Declare an authentication strategy using the bell scheme | |
// with the name of the provider, cookie encryption password, | |
// and the OAuth client credentials. | |
server.auth.strategy('okta', 'bell', { | |
provider: 'okta', | |
config: { uri: `https://${config.okta.domain}` }, | |
password: config.cookiePwd, | |
isSecure, | |
location: config.url, | |
clientId: config.okta.clientId, | |
clientSecret: config.okta.clientSecret | |
}) | |
server.auth.default('session') | |
server.route([ | |
{ | |
method: 'GET', | |
path: '/', | |
options: { | |
auth: false, | |
handler: (request, h) => { | |
console.log('/') | |
return h.response({ message: 'Home page.' }).code(200) | |
} | |
} | |
}, | |
{ | |
method: ['GET', 'POST'], // Must handle both GET and POST | |
path: '/login', // The callback endpoint registered with the provider | |
options: { | |
auth: { | |
mode: 'try', | |
strategy: 'okta' | |
}, | |
handler: function (request, h) { | |
console.log('/login') | |
if (!request.auth.isAuthenticated) { | |
return `Authentication failed due to: ${request.auth.error.message}` | |
} | |
// Perform any account lookup or registration, setup local session, | |
// and redirect to the application. The third-party credentials are | |
// stored in request.auth.credentials. Any query parameters from | |
// the initial request are passed back via | |
// request.auth.credentials.query. | |
//console.log(request.auth.credentials.query) | |
request.cookieAuth.set(request.auth.credentials) | |
console.log('User authenticated, cookie set') | |
return h.redirect('/secure') | |
} | |
} | |
}, | |
{ | |
method: 'GET', | |
path: '/secure', | |
options: { | |
handler: (request, h) => { | |
console.log('/secure') | |
return h.response({ message: `Secured page for ${request.auth.artifacts.profile.email}` }).code(200) | |
} | |
} | |
} | |
]) | |
await server.start() | |
} | |
internals.start() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment