{"id":13566030,"url":"https://github.com/sholladay/hapi-doorkeeper","last_synced_at":"2026-03-02T05:31:15.999Z","repository":{"id":57260865,"uuid":"78200281","full_name":"sholladay/hapi-doorkeeper","owner":"sholladay","description":"User authentication for web servers","archived":false,"fork":false,"pushed_at":"2021-02-25T23:40:56.000Z","size":125,"stargazers_count":14,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-08T00:32:49.239Z","etag":null,"topics":["auth","auth0","authentication","authorization","cookie","hapi","login","logout","plugin"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sholladay.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-01-06T11:14:44.000Z","updated_at":"2021-09-21T13:59:20.000Z","dependencies_parsed_at":"2022-08-31T12:21:58.779Z","dependency_job_id":null,"html_url":"https://github.com/sholladay/hapi-doorkeeper","commit_stats":null,"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"purl":"pkg:github/sholladay/hapi-doorkeeper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholladay%2Fhapi-doorkeeper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholladay%2Fhapi-doorkeeper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholladay%2Fhapi-doorkeeper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholladay%2Fhapi-doorkeeper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sholladay","download_url":"https://codeload.github.com/sholladay/hapi-doorkeeper/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sholladay%2Fhapi-doorkeeper/sbom","scorecard":{"id":820496,"data":{"date":"2025-08-11","repo":{"name":"github.com/sholladay/hapi-doorkeeper","commit":"2205b08ebca845f650635b2e79f0cf33daee761f"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.5,"checks":[{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Code-Review","score":0,"reason":"Found 1/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Mozilla Public License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 1 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T15:23:25.866Z","repository_id":57260865,"created_at":"2025-08-23T15:23:25.866Z","updated_at":"2025-08-23T15:23:25.866Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29993376,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T01:47:34.672Z","status":"online","status_checked_at":"2026-03-02T02:00:07.342Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","auth0","authentication","authorization","cookie","hapi","login","logout","plugin"],"created_at":"2024-08-01T13:02:00.450Z","updated_at":"2026-03-02T05:31:15.968Z","avatar_url":"https://github.com/sholladay.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"# hapi-doorkeeper [![Build status for hapi Doorkeeper](https://travis-ci.com/sholladay/hapi-doorkeeper.svg?branch=master \"Build Status\")](https://travis-ci.com/sholladay/hapi-doorkeeper \"Builds\")\n\n\u003e User authentication for web servers\n\nThis [hapi](https://hapijs.com) plugin adds a secure login and logout system to your app by integrating [Auth0](https://auth0.com/).\n\n## Contents\n\n - [Why?](#why)\n - [Install](#install)\n - [Usage](#usage)\n - [API](#api)\n   - [Routes](#routes)\n   - [Plugin options](#plugin-options)\n - [Related](#related)\n - [Contributing](#contributing)\n - [License](#license)\n\n## Why?\n\n - User auth is a necessity for most apps and websites.\n - User auth is difficult to do correctly on your own.\n - Secure systems should be easy to set up and use.\n - Comes with built-in login and logout routes.\n\n## Install\n\n```sh\nnpm install hapi-doorkeeper\n```\n\n## Usage\n\nRegister the plugin on your server to add the `/login` and `/logout` routes, as well as the `session` strategy so that you can protect your app's routes with authentication.\n\n```js\nconst hapi = require('@hapi/hapi');\nconst bell = require('@hapi/bell');\nconst cookie = require('@hapi/cookie');\nconst doorkeeper = require('hapi-doorkeeper');\n\nconst server = hapi.server();\n\nconst init = async () =\u003e {\n    await server.register([bell, cookie, {\n        plugin  : doorkeeper,\n        options : {\n            sessionSecretKey : process.env.SESSION_SECRET_KEY,\n            auth0Domain      : process.env.AUTH0_DOMAIN,\n            auth0PublicKey   : process.env.AUTH0_PUBLIC_KEY,\n            auth0SecretKey   : process.env.AUTH0_SECRET_KEY\n        }\n    }]);\n    server.route({\n        method : 'GET',\n        path   : '/dashboard',\n        config : {\n            auth : {\n                strategy : 'session',\n                mode     : 'required'\n            }\n        },\n        handler(request) {\n            const { user } = request.auth.credentials;\n            return `Hi ${user.name}, you are logged in! Here is the profile from Auth0: \u003cpre\u003e${JSON.stringify(user.raw, null, 4)}\u003c/pre\u003e \u003ca href=\"/logout\"\u003eClick here to log out\u003c/a\u003e`;\n        }\n    });\n    await server.start();\n    console.log('Server ready:', server.info.uri);\n};\n\ninit();\n```\n\nIn the example above, only logged in users are able to access `/dashboard`, as denoted by the `session` strategy being `required`. If you are logged in, it will display your profile, otherwise it will redirect you to a login screen and after you log in it will redirect you back to `/dashboard`.\n\nAuthentication is managed by [Auth0](https://auth0.com/). A few steps are required to finish the integration.\n\n 1. [Sign up for Auth0](https://auth0.com/)\n 2. [Set up an Auth0 Application](https://auth0.com/docs/applications/application-types)\n 3. [Provide credentials from Auth0](#plugin-options)\n\nAfter users log in, a session cookie is created for them so that the server remembers them on future requests. The cookie is stateless, encrypted, and secured using flags such as `HttpOnly`. The user's [Auth0 profile](https://auth0.com/docs/user-profile/normalized/oidc) is automatically retrieved and stored in the session when they log in. You can access the profile data at `request.auth.credentials.user`. See [hapi-auth-cookie](https://github.com/hapijs/hapi-auth-cookie) and [iron](https://github.com/hueniverse/iron) for details about the cookie implementation and security.\n\nNote that your server must support HTTPS for everything to work properly. If you need help with that, see this [How To Guide](https://medium.freecodecamp.org/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec).\n\nAPIs can also be protected by the `session` strategy. Clients can send an [Accept](https://tools.ietf.org/html/rfc7231#section-5.3.2) header with a value of `application/json` to indicate that they would prefer a JSON error instead of a redirect to the login page for users who are not logged in. The client can use this to show an error message or redirect the user manually, as appropriate.\n\n## API\n\n### Routes\n\nStandard user authentication routes are added to your server when the plugin is registered.\n\n#### GET /login\n\nTags: `user`, `auth`, `session`, `login`\n\nBegins a user session. If a session is already active, the user will be given the opportunity to log in with a different account.\n\nIf users deny access to a [social](https://auth0.com/docs/identityproviders) account, they will be redirected back to the login page so that they may try again, because they probably clicked the wrong account or provider by accident. Other login errors will be returned to the client with a 401 Unauthorized status. You may use [`hapi-error-page`](https://github.com/sholladay/hapi-error-page) or [`onPreResponse`](https://hapijs.com/api#error-transformation) to display beautiful HTML pages for them.\n\nAfter logging in, users are redirected to the URL specified in the `next` query parameter, which defaults to `/`, the root of the server.\n\nAs an example, the login button on your FAQ page might look be written as `\u003ca href=\"/login?next=/faq\"\u003eLog in\u003c/a\u003e`.\n\nOnly relative URLs are allowed in `next` for security reasons.\n\nRoutes that use the `session` strategy to require login have the `next` parameter set automatically for them, so that users are always sent back to the correct place.\n\n#### GET /logout\n\nTags: `user`, `auth`, `session`, `logout`\n\nEnds a user session. Safe to visit regardless of whether a session is active or the validity of the user's credentials. After logging out, users will be redirected to the URL specified in the `next` query parameter, which defaults to `/` (see [`/login`](#get-login) for details).\n\n### Plugin options\n\n#### sessionSecretKey\n\nType: `string`\n\nA passphrase used to secure session cookies. Should be at least 32 characters long and occasionally rotated. See [Iron](https://github.com/hueniverse/iron) for details.\n\n#### auth0Domain\n\nType: `string`\n\nThe domain used to log in to Auth0. This should be the domain of your tenant (e.g. `my-company.auth0.com`) or your own [custom domain](https://auth0.com/docs/custom-domains) (e.g. `auth.my-company.com`).\n\n#### auth0PublicKey\n\nType: `string`\n\nThe ID of your [Auth0 Application](https://manage.auth0.com/#/applications), sometimes referred to as the Client ID.\n\n#### auth0SecretKey\n\nType: `string`\n\nThe secret key of your [Auth0 Application](https://manage.auth0.com/#/applications), sometimes referred to as the Client Secret.\n\n#### providerParams(request)\n\nType: `function`\nDefault: Forward some query params from `/login` to Auth0\n\nAn optional event handler that receives an incoming request to the `/login` route and should return an object of query parameters to send to Auth0. See the [`providerParams` option](https://github.com/hapijs/bell/blob/master/API.md#options) in [bell](https://github.com/hapijs/bell) for details.\n\nBy default, we forward `screen` as `screen_hint` and `user` as `login_hint`. Because Auth0's hosted login page has special behavior based on those parameters, if you visit `/login?user=jane@example.com`, then on the log in screen `jane@example.com` will be prefilled as the email address to log in with. Similarly, `/login?screen=signup` will cause the sign up page to display instead of log in. This makes it easy to implement \"Log In\" and \"Sign Up\" buttons on your website that go directly to the correct screen.\n\nFor details on these parameters, see Auth0's documentation on the [New Universal Login Experience](https://auth0.com/docs/universal-login/new-experience).\n\n#### validateFunc(request, session)\n\nType: `function`\n\nAn optional event handler where you can put business logic to check and modify the session on each request. See the [`validateFunc` option](https://github.com/hapijs/hapi-auth-cookie#hapi-auth-cookie) in [hapi-auth-cookie](https://github.com/hapijs/hapi-auth-cookie) for details.\n\nThis is a good place to set [authorization scopes for users](https://futurestud.io/tutorials/hapi-restrict-user-access-with-scopes), if you need to restrict access to some routes for certain users.\n\n## Related\n\n - [lock](https://github.com/auth0/lock) - UI widget used on the login page\n\n## Contributing\n\nSee our [contributing guidelines](https://github.com/sholladay/hapi-doorkeeper/blob/master/CONTRIBUTING.md \"Guidelines for participating in this project\") for more details.\n\n1. [Fork it](https://github.com/sholladay/hapi-doorkeeper/fork).\n2. Make a feature branch: `git checkout -b my-new-feature`\n3. Commit your changes: `git commit -am 'Add some feature'`\n4. Push to the branch: `git push origin my-new-feature`\n5. [Submit a pull request](https://github.com/sholladay/hapi-doorkeeper/compare \"Submit code to this project for review\").\n\n## License\n\n[MPL-2.0](https://github.com/sholladay/hapi-doorkeeper/blob/master/LICENSE \"License for hapi-doorkeeper\") © [Seth Holladay](https://seth-holladay.com \"Author of hapi-doorkeeper\")\n\nGo make something, dang it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsholladay%2Fhapi-doorkeeper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsholladay%2Fhapi-doorkeeper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsholladay%2Fhapi-doorkeeper/lists"}