Brief

When we write an API, after defining the auth system, and many other things, we need defining who will can access the routes. I like the roles where an user need has in yours roles the specific for access that content.

More or less like this: "Jeff want to see the Mary's phone, but for that Jeff need have an access for a telephone catalog with an subscriber role."

Telephone catalog is old huh? Well, if Jeff aren't a subscriber for a telefone company, he cannot have a catalog (or asking for a friend with this role, but this is other story).

A Scope for access all things

If you see the last article, you're familiar with JWT auth in Hapi. Well, this article is similar, but with just one improvement.

Hapi provide us a built-in way to check the roles directly in routes. check bellow:

As you can see, adding in lines 19–21 and 30–32 an object auth this object, contain the scopes for the routes. You can adding an array of strings to allow users with different roles to access this route. The user only need have one of this strings roles for given access.

So, where I will get the roles? You need to adding this roles in your auth scheme. When you generate your JWT and response that for your user, you need send the roles too, no more just the ID.

In my case, I generate the JWT in user's controller in cases of LogIn and Create, well, in both cases after success, the function getToken is called.